08-24-2022 10:54 AM
Team,
Has anyone tried adding MAC address for whitelisting using any script or API?
What I really want to do is add a policy which should allow MAC addresses to get authorized to the Network, but we cannot add these MAC address manually. We are looking at some API or some command to do this. Is this even possible on the ISE?
Regards,
N!!
Solved! Go to Solution.
08-24-2022 11:39 AM - edited 08-24-2022 11:42 AM
@network_geek1979 yes ISE supports API. You can create the MAC address endpoint and add this to an Identity Group, you can then use this Identity Group in an Authorisation rule to whitelist the group of MAC addresses.
Here is the API guide, in particular how to create endpoints - https://developer.cisco.com/docs/identity-services-engine/latest/#!endpoint
You can expand on this to import MAC addresses in bulk
08-24-2022 11:35 AM
MAC address whitelisting/Scripts for automation.
possible many difference ways ?
On what device you are trying ? what IOS code it running.
if you have ISE you can Manage MAC address list.
again we need to know more details here.
08-25-2022 12:09 AM
Hi BB, I believe you are asking about Cisco switches. Is yes, we run different versions in the network.
Actually, my use case is running a script on the end user machine itself which will reach out to ISE and add a static MAC as a whitelist on the ISE. Eventually, I also want to delete this static MAC address entry though.
Regards!!
N.
08-24-2022 11:39 AM - edited 08-24-2022 11:42 AM
@network_geek1979 yes ISE supports API. You can create the MAC address endpoint and add this to an Identity Group, you can then use this Identity Group in an Authorisation rule to whitelist the group of MAC addresses.
Here is the API guide, in particular how to create endpoints - https://developer.cisco.com/docs/identity-services-engine/latest/#!endpoint
You can expand on this to import MAC addresses in bulk
08-25-2022 01:53 AM
Hi Rob, Yes, this is something I will have to try.
I'll work on some script to add this endpoint to a manually created Identity Group. Let me see how it works.
This helps me.
08-24-2022 11:46 AM
Rob's right. It is easy enough. I did a Postman "Runner" where you input the MAC address and it sets things up for you. Mine was just a proof-of-concept for using ERS to quarantine an endpoint for our SOC (now there is pxGrid for that too). There are lots of ways to use ERS (for fun!). If you plan to static map the Identity Group, be careful if you are using Custom Attributes, as i think I recall one bug scrub for some ISE v2.X version where static mapping groups erased custom attributes (maybe?). Always check your version's known bugs for your patch level. It may well be you're on a newer version where that vague recollection of an issue was solved, or I may have some of that point of concern wrong in my head after all this time.
Regards,
David
08-25-2022 01:54 AM
Thanks David.
08-25-2022 04:45 PM
Another cool approach for small networks is to use the Vanilla ISE python application, which you can run on any box that has Python 3 interpreter, and access to the Admin node and switches. It has a nice graphical display of your switch (or switch stack) and you can just right click on a port to make it NAC Exempt. Easy as that. No MAC address involved. This approach is nice if you know which port you want to make exempt for that user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide