cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
932
Views
1
Helpful
4
Replies

MyDevicePortal with device type customization

rovargas
Cisco Employee
Cisco Employee

A customer with many factories wants to delegate the MAC address lifecycle to each factory administrator.

They do not want this factory administrators to be ISE admins, but they want to allow them to add/remove MAC addresses whenever they come with a new factory device (non-802.1x obviously).

They planned to use ISE mydeviceportal so that each factory administrator can login and add their new MAC addresses when needed. They want to give them the flexibility of adding different device types, so that each device type have different network access.

As far as we have seen, mydeviceportal statically assigns all devices to an identitygroup (RegisteredDevice by default), so we though on using the "Device name" or "Device description" field in the authorization profile. Unfortunatelly both fields are not available.

Any suggestion on how to solve this scenario?

We though on using API, but we want to check if there is any way using an ISE portal...

Thanks

1 Accepted Solution

Accepted Solutions

Please reach out to our product managers through sales channels to request an IOT type of management portal that would address this

View solution in original post

4 Replies 4

paul
Level 10
Level 10

Why not create a custom role in ISE that grants them access to only the Context Visibility->Endpoints screen and gives them read/write access to the Endpoint Identity Groups you want to manage.  Then you train them how to edit MAC addresses on the Context Visibility screen.

The role based administration in ISE is highly flexible.

rovargas
Cisco Employee
Cisco Employee

Thanks for the suggestion.

Yes, ISE is very flexible in RBAC terms, but we wanted to simplify the user experience as much as possible and mydeviceportal seems the best way...

You are correct that each of mydevices portal assigns endpoints to only one endpoint identity group and other attributes are not exposed for authorization policy evaluations. One way around it is to use multiple portals and each uses a different id group.

Screen Shot 2017-09-16 at 05.10.42.png

Please reach out to our product managers through sales channels to request an IOT type of management portal that would address this