cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1509
Views
20
Helpful
7
Replies

MAC address whitelisting/Scripts for automation.

Team,
Has anyone tried adding MAC address for whitelisting using any script or API? 

What I really want to do is add a policy which should allow MAC addresses to get authorized to the Network, but we cannot add these MAC address manually. We are looking at some API or some command to do this. Is this even possible on the ISE?

 

Regards,

N!!

 

1 Accepted Solution

Accepted Solutions

@network_geek1979 yes ISE supports API. You can create the MAC address endpoint and add this to an Identity Group, you can then use this Identity Group in an Authorisation rule to whitelist the group of MAC addresses.

Here is the API guide, in particular how to create endpoints - https://developer.cisco.com/docs/identity-services-engine/latest/#!endpoint

You can expand on this to import MAC addresses in bulk

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame
MAC address whitelisting/Scripts for automation.

possible many difference ways ?

On what device you are trying ? what IOS code it running.

if you have ISE you can Manage MAC address list.

again we need to know more details here.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi BB, I believe you are asking about Cisco switches. Is yes, we run different versions in the network.

Actually, my use case is running a script on the end user machine itself which will reach out to ISE and add a static MAC as a whitelist on the ISE. Eventually, I also want to delete this static MAC address entry though.

 

Regards!!

N.

 

@network_geek1979 yes ISE supports API. You can create the MAC address endpoint and add this to an Identity Group, you can then use this Identity Group in an Authorisation rule to whitelist the group of MAC addresses.

Here is the API guide, in particular how to create endpoints - https://developer.cisco.com/docs/identity-services-engine/latest/#!endpoint

You can expand on this to import MAC addresses in bulk

Hi Rob, Yes, this is something I will have to try.  
I'll work on some script to add this endpoint to a manually created Identity Group. Let me see how it works.

This helps me.

davidgfriedman
Level 1
Level 1

Rob's right. It is easy enough.  I did a Postman "Runner" where you input the MAC address and it sets things up for you.  Mine was just a proof-of-concept for using ERS to quarantine an endpoint for our SOC (now there is pxGrid for that too). There are lots of ways to use ERS (for fun!). If you plan to static map the Identity Group, be careful if you are using Custom Attributes, as i think I recall one bug scrub for some ISE v2.X version where static mapping groups erased custom attributes (maybe?). Always check your version's known bugs for your patch level.  It may well be you're on a newer version where that vague recollection of an issue was solved, or I may have some of that point of concern wrong in my head after all this time.

Regards,
David

Thanks David. 

Arne Bier
VIP
VIP

Another cool approach for small networks is to use the Vanilla ISE python application, which you can run on any box that has Python 3 interpreter, and access to the Admin node and switches. It has a nice graphical display of your switch (or switch stack) and you can just right click on a port to make it NAC Exempt. Easy as that. No MAC address involved. This approach is nice if you know which port you want to make exempt for that user.

 

GitHub - obrigg/Vanilla-ISE: Vanilla ISE is a lightweight, simplified UI for operating Cisco's Identity Services Engine (Cisco ISE)

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: