Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4158
Views
5
Helpful
5
Replies

Managing Mac Addresses

Go to solution
anthony
Level 1
Level 1

‎09-09-2016 03:16 PM

We are looking at the different options for storing mac addresses for MAB.  We wanted to use additional fields that are not in ISE, such as owner, owner email, group contact, expiry, etc. 

We've discussed a few different options, Active Directory (using device class with ADSIEdit or scripts), extending the AD device schema with the fields we were after, FreeRadius, custom web app which then populates AD. Radius, or ISE, custom endpoint attributes, mydevices.  Each of these have their own limitations.

How are other enterprise customers managing their mac addresses for MAB? Has anyone extended the solution with additional fields or lifecycle management?

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to anthony

‎01-01-2017 12:28 PM

First decide if want to manage MAC addresses in ISE, or in external ID store.  Realize that MAB can be performed against InternalEndpoints database or external ID store like AD, LDAP, or ODBC.  Management of MAC addresses in external ID store is beyond scope of this forum.  Management of MAC addresses in ISE database is accomplished through Profiling (dynamic discovery and attribute population), or import via file, LDAP, or API.

The ERS API does allow multiple attributes to be updated and was greatly expanded in ISE 2.1 to include attributes beyond profile and ID group as well as custom attributes.  You can define and populate these custom attributes and then leverage API to update them programmatically.  Conditions can then be matched in Authorization Policy using these custom attributes.

And yes, you can use a group filter with ERS API. Example:

https://ise-pan1.cts.local:9060/ers/config/endpoint?filter=groupId.EQ.30148b30-e96c-11e4-a30a-005056bf01c9

/Craig

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-10-2016 08:28 AM

Have you checked into 2.1? I saw tiabbott doing A demo the other day adding endpoint attributes under the new monitor endpoints screen

0 Helpful

Go to solution
anthony
Level 1
Level 1
In response to Jason Kunst

‎09-10-2016 02:45 PM

Endpoint attributes are on our list to consider.  That would still require an external app/script to provide any lifecycle functionality.  Current concerns with endpoint attributes are

1 - We have TAC case open because they don't work on our installs of 2.1.  License issue?

2 - The ISE API currently doesn't support an endpoint group filter when extracting endpoints, it is in the bug toolkit as a future enhancement.  Not really a concern, just more processing of the data returned from the API.

Would ISE customers often resort to external applications/shims which populate the ISE database via APIs?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to anthony

‎09-12-2016 08:17 AM

Please work through TAC, this may require plus licensing. tiabbott may be able to provide more input

Yes customers use API for external access to the list

0 Helpful

Go to solution
anthony
Level 1
Level 1
In response to Jason Kunst

‎09-22-2016 06:16 PM

Maybe I need to rephrase the question and possibly make this a discussion.

Does anyone have first hand knowledge of managing thousands of MAC addresses that are used for MAB?  How was it implemented for scale, lifecycle management, and administrative access?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to anthony

‎01-01-2017 12:28 PM

First decide if want to manage MAC addresses in ISE, or in external ID store.  Realize that MAB can be performed against InternalEndpoints database or external ID store like AD, LDAP, or ODBC.  Management of MAC addresses in external ID store is beyond scope of this forum.  Management of MAC addresses in ISE database is accomplished through Profiling (dynamic discovery and attribute population), or import via file, LDAP, or API.

The ERS API does allow multiple attributes to be updated and was greatly expanded in ISE 2.1 to include attributes beyond profile and ID group as well as custom attributes.  You can define and populate these custom attributes and then leverage API to update them programmatically.  Conditions can then be matched in Authorization Policy using these custom attributes.

And yes, you can use a group filter with ERS API. Example:

https://ise-pan1.cts.local:9060/ers/config/endpoint?filter=groupId.EQ.30148b30-e96c-11e4-a30a-005056bf01c9

/Craig

0 Helpful
Customers Also Viewed These Support Documents