cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

496
Views
0
Helpful
2
Replies

Only allowing authorized machines on ISE

Hi,

We are implementing an ISE solution, and one of the customer requirements is create an internal endpoint identity group, and ONLY allow the mac address listed on that group to authenticate via 802.1x.

I see that in the authorization policy section, in the identity groups conditions, i only can create a rule that applies an OR operator, for example, "dot1xusers OR authorizedmachines", but i can't create the AND condition to enforce the customer requirement.

There is a way to accomplish this? or how can i implement this customer requierement?

Many thanks,

Julio

1 ACCEPTED SOLUTION

Accepted Solutions
Richard Atkin
Enthusiast

In your ISE;

Create an Endpoint Identity Group and put your device MAC Addresses in

In your Authentication Profiles, enable 802.1x

In your Authorisation Profiles, create a rule whereby "Device Group = YourAuthzPCs AND AD Group Membership = Domain Computer"

That should see you good, although I'd question the motives for your requirement. MAC Address lists are both boring / difficult to administer, and easily spoofed. You would be better off using another AD Security Group in most circumstances I'd have thought.

View solution in original post

2 REPLIES 2
Richard Atkin
Enthusiast

In your ISE;

Create an Endpoint Identity Group and put your device MAC Addresses in

In your Authentication Profiles, enable 802.1x

In your Authorisation Profiles, create a rule whereby "Device Group = YourAuthzPCs AND AD Group Membership = Domain Computer"

That should see you good, although I'd question the motives for your requirement. MAC Address lists are both boring / difficult to administer, and easily spoofed. You would be better off using another AD Security Group in most circumstances I'd have thought.

View solution in original post

Thank you RikJonAtk, 

you are rigth, that is how it worked. however, the customer don't have an active directory yet (its a new network), so we must use internal users. In my lab the auth profile used to accomplish the goal was like the shown in attached.

DispositivosPermitidos is an endpoint identity group where the allowed device mac address are listed. the trick was the string "User Identity Groups:Employee" instead of "Employee" in the auth profile.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel