Solved: Re: Treat Specific MAC Address on ISE Policy

fdharmawan · ‎10-28-2018

Hi Guys,

Right now I have a portal in working condition. The logic is pretty simple. When a device tries to connect to the SSID, ISE will check whether the MAC is already stored in Internal Endpoint or not. If yes, then grant access. If not, then redirect the user to a portal where the user logon using his/her AD credential and the MAC address will be stored for the next 10000 days. The portal mentioned is used for mobile device access and the MAC addresses will be purged if have been registered for more than 10000 days.

But, I have a new challenge where 3 PCs will connect to the same SSID, but the MAC addresses should be purged within 4 hours or so, unlike the default which has value of 10000 days. The goal is to monitor the people who are using the public PCs.

I have 2 scenarios in my mind, but so far no luck.

1. Create an if condition, whenever that MAC tries to connect to the SSID, the MAC will be stored in a separate identity source, so it will be purged more frequently than the other. But I could not find a way to make this plan happens.

2. On purge menu, create a rule where the MAC address will be purged if the age is >=1 day. But I could not do this since I already have initial rule that will only purge a MAC address after 10000 days. (The MAC is stored on the same identity group)

Do you guys have any idea how to do the workaround in my case?

Thank you.

Arne Bier · ‎10-29-2018

Hi @fdharmawan

You don't need another SSID, nor do you need another PSN. Your PSN supports up to 600 Guest Portals (as far as Cisco have told us). ISE is clever in this way, because it will allow you to have this many portals answering on TCP/8443 using virtual http servers. They only differ by their URL.

And of course when you redirect the "MAC not found" MAB auth to a Guest Portal, then have to create a new Authorization Profile containing this second portal for you special users. That portal will also use its own Identity Group for "employees" (users authenticating with AD creds). And you'd ensure that you never use this Identity Group in any decisions - just keep purging the MAC addresses daily to keep the house tidy. The Session-Timeout does all the rest.

I think that would work.

View solution in original post

Arne Bier · ‎10-29-2018

Perhaps you could chose not to store those three MAC addresses, and rather just assign a Session-Timeout = 14400 (4 hours) to the session. How do users authenticate on those three devices (do they have AD accounts?) If they also use AD accounts then you may have to redirect them to another Guest Portal - one which does not store the MAC address (or at least, does not store the MAC address in the same Identity Group as your primary Guest Portal page).

In your authorization Policy, you can then match higher up in the Rules, for

Calling-Station-ID == (PC 1 OR PC 2 OR PC 3) AND "Guest Flow" THEN AuthZProfile = "Allow4hours"

else .... existing logic applies where you check the Identity Group containing AD authenticated users ... etc.

fdharmawan · ‎10-29-2018

Hi Arne,

Thanks for the reply.

Yes, the users authenticate using AD credential. The only difference is the purge time.

If I have to redirect those users to another guest portal, how do I integrate with the existing one? Since creating new SSID does not seem like the best practice in this case.

On the Conditions Studio inside Authorization Profile section Network Access, I found 2 attributes, "Device IP Address" and "NetworkDeviceName". I know the "Device IP Address" means but how about "NetworkDeviceName"? Is it for device's MAC address?