cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

Dynamic Attribute with ISE: MAC Address Matching

3868
Views
13
Helpful
2
Comments

ISE can pull list of MAC addresses from the user DB such as AD, LDAP, SQL, or internal DB and compare it during authorization. This allows network admins to enforce user to specific endpoint for network access. Doing this via dynamic attribute has many benefits, one of which is that it reduces the number of policy rules when used correctly. Imagine if you want to create 10 different MAC address mappings for 10 different users. In the traditional way, you would create 10 separate rules that reads “If User A, then match MAC address X”, “If User B, then match MAC address Y”… However, with dynamic attributes, you can simply create one rule that reads “If user attribute includes MAC address that is connecting, then permit access”. AD attributes can be pre-populated with list of MAC addresses and can be dynamically called upon as user authenticates. This video shows how to create users in the AD with such attribute and also show you how to configure ISE policy to use it for authorization and lastly confirm the operation.

(view in My Videos)

Note 1: I used ‘Description’ attribute from AD which is not an indexed attribute which works in test environment. However, in a real world environment make sure to use an indexed attribute for fast retrieval of attribute value.

Note 2: Cisco device uses aa-aa-aa-aa-aa-aa format for the mac address in the Calling-Station-ID field. If trying this with 3rd party network device, you will need to find out which RADIUS attribute contains the MAC address and in what format it is being sent and store the MAC in that exact format in the directory attribute.

Note3: If the PC has multiple interfaces, then need to add all interface MAC in to the attribute

Comments
Beginner

Perfect.  Thank you Hosuk.

Beginner

Have problems repeating the same configuration with ISE 2.3

Can you suggest me where can be the problem? I tried to look to the debug of RADIUS authentication, but do not see any additional attributes from my AD.

 

Screen Shot 2018-08-23 at 20.38.57.png