08-11-2023 03:24 AM
hello.
We are building a network using ise's profiling function.
Authentication was successful, but
If you check the other attributes in endpoints, the OUI value appears to be UNKNOWN.
What is the problem?
Solved! Go to Solution.
08-11-2023 10:47 AM
What OUI?
Did you check against the IEEE registry? http://standards.ieee.org/develop/regauth/oui/oui.txt
It's entirely possible to generate your own random MAC address or OUI. I talked about and demonstrated this in
▷ MAC Authentication Bypass (MAB) with ISE 2023/07/20
00:30 Media Access Control (MAC) Addresses by the Byte
02:40 OUI & MAC Formatting
Please provide more details in your questions for more complete answers from us. See How to Ask The Community for Help
08-13-2023 08:28 PM
If the MAC address is a real mac and it looks up in an online registry then you can open a tac case and have them evaluate why it's missing from the lookup table.
Your immediate option to resolve this is to create a custom profile or customize the existing profile in ISE you are wanting to match. From there you can specify the MAC address range that's missing and fix this issue yourself.
08-11-2023 03:38 AM
@CCC3 is randomised MAC address enabled on the endpoints? Is ISE profiling feed up to date?
08-11-2023 05:10 PM
Random mac enable/disable all happen the same.
And the profiling feed is difficult to check right away, which version is currently being used.
For reference, the current ise version is 3.2 patch 3.
08-11-2023 10:47 AM
What OUI?
Did you check against the IEEE registry? http://standards.ieee.org/develop/regauth/oui/oui.txt
It's entirely possible to generate your own random MAC address or OUI. I talked about and demonstrated this in
▷ MAC Authentication Bypass (MAB) with ISE 2023/07/20
00:30 Media Access Control (MAC) Addresses by the Byte
02:40 OUI & MAC Formatting
Please provide more details in your questions for more complete answers from us. See How to Ask The Community for Help
08-11-2023 05:15 PM
Currently, I am trying to give a vlan for each terminal through profiling.
So, for example, it is necessary to distinguish by oui such as apple / android.
Authentication seems to be successful
but actual endpoints -> In other attributes, oui is coming out as unknown.
08-13-2023 08:28 PM
If the MAC address is a real mac and it looks up in an online registry then you can open a tac case and have them evaluate why it's missing from the lookup table.
Your immediate option to resolve this is to create a custom profile or customize the existing profile in ISE you are wanting to match. From there you can specify the MAC address range that's missing and fix this issue yourself.
08-14-2023 12:12 AM
I still lack a lot of knowledge about the ise profiling function.
How can I create Policies to apply to devices whose oui is Apple?
08-14-2023 06:21 AM
This would be better asked as a new question instead of this question which is not going to answer yours.
08-23-2023 08:02 AM
@dss470001 please watch our ISE Webinars on our CiscoISE YouTube Channel and register for upcoming sessions to learn new things. I already mentioned ▷ MAC Authentication Bypass (MAB) with ISE in a response above and we are covering Getting Started with ISE Profiling on 2023/09/05 which is a more automated and dynamic way of detecting Apple OUIs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide