Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6961
Views
20
Helpful
7
Replies

Mac-Filtering on ISE

Mady
Level 4
Level 4

‎10-23-2017 01:48 AM - edited ‎02-21-2020 10:36 AM

Hi,

 

I created internal endpoint groups which I manually add the MAC address of user's device. The AuthZ policy I created is EndpointGroupA and SSID-GroupA = permit access. 

 

I also have CWA portal, users who register to that portal will tag their endpoint as RegisteredDevice.

 

My challenge is when user with MAC addess A (example only) that  is manually added to EndpointGroupA registers to CWA portal its MAC address A is now tag as RegisteredDevice.

 

So whenever this MAC address A access the SSID-GroupA which requires MAC-filtered device - it cannot connect to that SSID.

 

Hope you can help me on this. I'm thinking if there is other attribute for MAC filtering that I can use on the policy. Or any additional policy that I can configure.

 

Thanks in advance!

Labels:
0 Helpful
7 Replies 7

ajc
Level 7
Level 7

‎10-27-2017 11:01 AM - edited ‎10-27-2017 11:03 AM

Untitled.jpg

Try the attached authorization policies for CWA after the following ones:

 

1-if EndpointGroupA and SSID-GroupA then permit access (manual endpoint entries would get access)

2-if Network Access:UseCase EQUALS Guest Flow then permit access

***********THE ATTACHED POLICIES WOULD GO HERE*********

(the NOT EQUALS can be replaced by NOT CONTAINS

 

 

 

 

 

 

 

 

Preview file
33 KB

Mady
Level 4
Level 4
In response to ajc

‎10-27-2017 11:10 AM

thanks for your reply. I will try your suggestion. I would like to ask if is it possible to assign endpoint to two different endpoint groups for example? Because I used hotspot, self-registered and BYOD and each has different endpoint group.

 

there's a chance that the mac filtered endpoint connects to all of that portal and it will be tag to different group.

0 Helpful

ajc
Level 7
Level 7
In response to Mady

‎10-27-2017 11:18 AM

 

no, you cannot assign an endpoint to different endpoint groups. You would have to play with the authz policies AND the Endpoint Group from the portal (see below).

 

pic 1.jpg

0 Helpful

Mady
Level 4
Level 4
In response to ajc

‎10-27-2017 11:24 AM

:) thanks! it seems that I really need to work on my AuthZ policy. I will definitely try your recommendation.

ajc
Level 7
Level 7
In response to Mady

‎10-27-2017 11:27 AM

do not forget to rate, thanks

ajc
Level 7
Level 7

‎10-27-2017 11:06 AM

BTW, MAB authentication is not safe (spoofing can happen) unless you are ONLY allowing internet access to anyone connected to your SSIDGroupA.

Mady
Level 4
Level 4
In response to ajc

‎10-27-2017 11:12 AM

Yes, it has access to internet only. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents