Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
2
Replies

Only allowing authorized machines on ISE

Go to solution
Julio Coral Orbes
Level 1
Level 1

‎05-15-2013 08:57 AM - edited ‎03-10-2019 08:26 PM

Hi,

We are implementing an ISE solution, and one of the customer requirements is create an internal endpoint identity group, and ONLY allow the mac address listed on that group to authenticate via 802.1x.

I see that in the authorization policy section, in the identity groups conditions, i only can create a rule that applies an OR operator, for example, "dot1xusers OR authorizedmachines", but i can't create the AND condition to enforce the customer requirement.

There is a way to accomplish this? or how can i implement this customer requierement?

Many thanks,

Julio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Atkin
Level 4
Level 4

‎05-28-2013 10:25 PM

In your ISE;

Create an Endpoint Identity Group and put your device MAC Addresses in

In your Authentication Profiles, enable 802.1x

In your Authorisation Profiles, create a rule whereby "Device Group = YourAuthzPCs AND AD Group Membership = Domain Computer"

That should see you good, although I'd question the motives for your requirement. MAC Address lists are both boring / difficult to administer, and easily spoofed. You would be better off using another AD Security Group in most circumstances I'd have thought.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Atkin
Level 4
Level 4

‎05-28-2013 10:25 PM

In your ISE;

Create an Endpoint Identity Group and put your device MAC Addresses in

In your Authentication Profiles, enable 802.1x

In your Authorisation Profiles, create a rule whereby "Device Group = YourAuthzPCs AND AD Group Membership = Domain Computer"

That should see you good, although I'd question the motives for your requirement. MAC Address lists are both boring / difficult to administer, and easily spoofed. You would be better off using another AD Security Group in most circumstances I'd have thought.

0 Helpful

Go to solution
Julio Coral Orbes
Level 1
Level 1
In response to Richard Atkin

‎05-29-2013 10:07 AM

Thank you RikJonAtk, 

you are rigth, that is how it worked. however, the customer don't have an active directory yet (its a new network), so we must use internal users. In my lab the auth profile used to accomplish the goal was like the shown in attached.

DispositivosPermitidos is an endpoint identity group where the allowed device mac address are listed. the trick was the string "User Identity Groups:Employee" instead of "Employee" in the auth profile.

Preview file
7 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents