Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2355
Views
30
Helpful
14
Replies

RBAC for adding MAC address

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎04-16-2019 05:06 PM - edited ‎04-16-2019 08:35 PM

I want to try to give a group access to add/remove MAC address that will be used for a new whitelist.  We already have endpoints because we use another whitelist for another group. Is there a way to have each team not be able to delete MAC address created by on group but manage their own endpoints?

Thanks,

-Scott
*** Please rate helpful posts ***
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-16-2019 09:38 PM

This is not possible with ISE today. It would have to go in as a feature request for improved granularity of admin RBAC, or enhancements to the my devices portal.

The my devices portal gets close to what you need, in that it allows you to add a mac directly to a predefined identity group. The issue there is that you manage your own endpoints, and you can only map an ID sequence to the portal for authentication. It essentially just checks you are part of AD if that is what you map, and doesn't care about groups, just that you have a valid username and password, it lacks RBAC.

The API's to add/manage endpoints are exposed, a developer could build a custom system to do this.

View solution in original post

Go to solution
anthonylofreso
Level 4
Level 4
In response to Damien Miller

‎04-17-2019 04:20 AM

"The API's to add/manage endpoints are exposed, a developer could build a custom system to do this." <-- this is what we're doing (with little dev xp).

Checkout some of the well documented python framworks like Flask or Django, and you can quickly get a basic webapp with a basic form, that accepts a MAC address as input, and makes a call to ISE to add it to the appropriate identity group upon submit.

The basic calls you'll need to achieve this:

GET  https://<ise-hostname>:9060/ers/config/endpoint?filter=mac.EQ.<mac-address>
PUT  https://<ise-hostname>:9060/ers/config/endpoint/<endpoint-id>
POST https://<ise-hostname>:9060/ers/config/endpoint

 Python requests module & Powershell Invoke-WebRequest module both work just fine for this type of thing.

View solution in original post

14 Replies 14

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-16-2019 09:38 PM

This is not possible with ISE today. It would have to go in as a feature request for improved granularity of admin RBAC, or enhancements to the my devices portal.

The my devices portal gets close to what you need, in that it allows you to add a mac directly to a predefined identity group. The issue there is that you manage your own endpoints, and you can only map an ID sequence to the portal for authentication. It essentially just checks you are part of AD if that is what you map, and doesn't care about groups, just that you have a valid username and password, it lacks RBAC.

The API's to add/manage endpoints are exposed, a developer could build a custom system to do this.

Go to solution
anthonylofreso
Level 4
Level 4
In response to Damien Miller

‎04-17-2019 04:20 AM

"The API's to add/manage endpoints are exposed, a developer could build a custom system to do this." <-- this is what we're doing (with little dev xp).

Checkout some of the well documented python framworks like Flask or Django, and you can quickly get a basic webapp with a basic form, that accepts a MAC address as input, and makes a call to ISE to add it to the appropriate identity group upon submit.

The basic calls you'll need to achieve this:

GET  https://<ise-hostname>:9060/ers/config/endpoint?filter=mac.EQ.<mac-address>
PUT  https://<ise-hostname>:9060/ers/config/endpoint/<endpoint-id>
POST https://<ise-hostname>:9060/ers/config/endpoint

 Python requests module & Powershell Invoke-WebRequest module both work just fine for this type of thing.

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to anthonylofreso

‎04-17-2019 05:00 AM

Thanks for the info. I wanted to confirm if it’s possible or not. We do use the api for the other group, so I will work with the team to try to setup another portal for this new group.
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Damien Miller

‎04-17-2019 05:29 AM

Just a point of clarification on the MyDevices portal.  You can use the RADIUS callback trick to inject AD authorization on the MyDevices portal.  We use it on every install to create an ISE Temp Bypass portal used by help desk, desktop team and other teams in IT to allow a temporary bypass condition to troubleshoot or potentially reimage machines.

 

The issue with the callback trick is it really can only be used once because there is now way to tell in the RADIUS callback what portal is being referenced.  Although depending on the number of PSNs you have you could setup multiple MyDevices portal with different FQDNs that map to different PSNs and then use the PSN IP as part of the RADIUS callback authorization policy.

 

ise-bypass.mycompany.com maps to PSN1

ise-clinical.mycompany.com maps to PSN2

 

Then in your RADIUS callback you can say if RADIUS NAD IP is PSN1 here is the AD groups and can access the ISE bypass portal.  If the RADIUS NAD IP is PSN2 here is the list of AD groups that can access the ISE clinical portal.  Both portal are MyDevices portals tied to one endpoint identity group.

 

Ideally, Cisco would add authorization to the MyDevices portal, but that has long been a deficiency in ISE.

0 Helpful

Go to solution
paul
Level 10
Level 10

‎04-17-2019 05:44 AM

Also you definitely can use RBAC controls in ISE to lock down a particular AD group to one identity group.  I use it all the time.  The users would log into the ISE Admin GUI but be limited in the screens they can see.  When they go to the context Visibility screen they would only see the MAC addresses that belong to the identity group you allow them to see.  When they add a MAC address into the system they would only be allowed to statically set it to the identity group you allow them to manage.

 

Here is a screen shot of the data access RBAC to do just that:

 

Capture.JPG

 

Here is the menu access required:

Capture.JPG

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to paul

‎04-18-2019 06:55 AM

Paul,
I will look at that, I started defining the menu access and data access, but it seems that when they add/delete mac address, they would also be able to accidentally delete a mac address added from another group. That was my worry.
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Scott Fella

‎04-18-2019 08:07 AM

You can't delete MAC addresses you can't see.  In the context visibility screen they will only see the MAC addresses for the identity groups you give them access to.  Also if they try to overwrite an existing MAC address with a new static assignment it will get denied.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to paul

‎04-18-2019 04:53 PM - edited ‎04-18-2019 05:13 PM

Just tried that out and here is the issue I run into.  I can add a mac address and it will add it to the correct endpoint group.  However, I can't remove the endpoint which the users will need to have the ability to do.  If I review the "Context Visibility" I do not see the mac address that was entered.  I only can see this if I set the endpoint identity "Unknown" to read-only.  The weird thing is that I'm able to delete other mac address when its is suppose to be read-only.  Maybe a bug?  Running 2.2.0.470 patch 9.

Edit: Forgot to add... if they add a new mac address, that mac address doesn't show up in the "Context Visibility".  If I add "Unknown" as read-only, they don't see that mac address at all.  Doesn't seem right to me.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Scott Fella

‎04-18-2019 06:14 PM

You should be doing all your work in Context Visibility. I just testing again. I can add and delete MACs without a problem and I can only see the MAC in the endpoint identity group I give access to. Make sure you set up the menu and data access just like I showed. The one problem you have is if the MAC address is already in the system they will not be able to update it or do anything with it. If the MAC address is not in the system they can add and delete all day.


0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to paul

‎04-18-2019 07:47 PM - edited ‎04-18-2019 08:07 PM

Something must be wrong then... I had the same Menu and Data you had:

menu.pngdata.png

add_endpoint.pngafter_add.pngMAC is not visible after addingidentity_group.pngUnable to delete the created Macremoving_endpoint.pngstill_there.png

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Scott Fella

‎04-18-2019 08:19 PM

Scott,

 

As I said you should be doing all your work on Context Visibility.  You really should never be adding MAC addresses on the Endpoint Identity Group screen.  It is a pain to add them there and you can't add descriptions.  Try it on the Context Visbility->Enddpoints screen.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎04-19-2019 06:06 AM

Yeah... I will open a TAC case just to check on this. What version are you running?
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Scott Fella

‎04-19-2019 06:08 AM

2.4 patch 6


0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to paul

‎04-19-2019 07:23 AM

I will open a TAC case later today and update this thread. 
-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents