Solved: Re: Recommendation of USB Network adapter without MAC Address Passthro

AigarsK · ‎02-06-2025

Hi All,

As per title, can someone recommend USB A and USB C network adapters that for sure do not support MAC Address Passthrough.

Use case is for MAB authentication to work with predefined set of MAC addresses of USB network adapters for Computer build using SCCM and PXE Boot.

Laptops we have in our org are HP and they appear to have MAC Address Passthrough enabled by default (At least the newer models do) This causes issue were USB Network Adapters also support it and thus require me to manually add MAC address to temporary allow the build to take place before devices are onboarded on network using 802.1x with cert. EUC guys are not too keen to disable this just for the build, so they are asking me for the ports that have no NAC enabled, but I do not want this option to be used.

I just want to buy a known model of these Adapters and be done with this issue.

Aref Alsouqi · ‎02-10-2025

I think you can either create specific authentication and authorization policies on ISE to allow those laptops to be redirected to a "guest" portal, register themselves, and then allow them access to the network. Alternatively, you can rely on ISE Low-Impact mode where you create an ACL and you apply it to those ports. That ACL can allow DHCP, DNS, and any other destination that you believe shoudl be allowed for the build. Please check the "Pre-Authentication and Post-Authentication Access Control with Low Impact" section in this link for more details:

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-1594628171

View solution in original post

Aref Alsouqi · ‎02-06-2025

Do you have ISE in your environment? if so, I think you can provision a dedicated guest portal for those users allowing them to register themselves as guests, placing thier MAC addresses automatically into a specific endpoint identity group, and then creating an authorization rule that would allow them access to your network.

ahollifield · ‎02-06-2025

This will be a never ending road. Why are you relying on MAC addresses? Why not do 802.1X?

AigarsK · ‎02-07-2025

Should have provided more detail, we do have ISE already and 802.1x and MAB policies are in place for all things we have connected to the network.

Internal team who builds laptops, receives them from manufacturer and needs to apply company OS build on it, we have SCCM with PXE boot for this use. This means that the computer to get an IP address needs to authenticate to network, as this takes place before OS is deployed, it sort of is MAB only means of getting it done.

This has and does work, but we have inconsistent experience with the MAC Address Passthrough, laptops which have it enable and USB network adapter which supports it, would need System aka Laptop MAB added to Identity Group in ISE to allow it on network for PXE boot to work.

If I have missed some technological advances how to facilitate computer builds on open floor office space, please share

Aref Alsouqi · ‎02-10-2025

I think you can either create specific authentication and authorization policies on ISE to allow those laptops to be redirected to a "guest" portal, register themselves, and then allow them access to the network. Alternatively, you can rely on ISE Low-Impact mode where you create an ACL and you apply it to those ports. That ACL can allow DHCP, DNS, and any other destination that you believe shoudl be allowed for the build. Please check the "Pre-Authentication and Post-Authentication Access Control with Low Impact" section in this link for more details:

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-1594628171

AigarsK · ‎02-11-2025

Thanks for suggestion, I will look at Low Impact Auth mode.

Aref Alsouqi · ‎02-11-2025

You're very welcome.

Recommendation of USB Network adapter without MAC Address Passthrough