- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
06-13-2017 06:56 AM - edited 08-15-2018 07:17 AM
ISE can pull list of MAC addresses from the user DB such as AD, LDAP, SQL, or internal DB and compare it during authorization. This allows network admins to enforce user to specific endpoint for network access. Doing this via dynamic attribute has many benefits, one of which is that it reduces the number of policy rules when used correctly. Imagine if you want to create 10 different MAC address mappings for 10 different users. In the traditional way, you would create 10 separate rules that reads “If User A, then match MAC address X”, “If User B, then match MAC address Y”… However, with dynamic attributes, you can simply create one rule that reads “If user attribute includes MAC address that is connecting, then permit access”. AD attributes can be pre-populated with list of MAC addresses and can be dynamically called upon as user authenticates. This video shows how to create users in the AD with such attribute and also show you how to configure ISE policy to use it for authorization and lastly confirm the operation.
- Chapters
- descriptions off, selected
- captions settings, opens captions settings dialog
- captions off, selected
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
Note 1: I used ‘Description’ attribute from AD which is not an indexed attribute which works in test environment. However, in a real world environment make sure to use an indexed attribute for fast retrieval of attribute value.
Note 2: Cisco device uses aa-aa-aa-aa-aa-aa format for the mac address in the Calling-Station-ID field. If trying this with 3rd party network device, you will need to find out which RADIUS attribute contains the MAC address and in what format it is being sent and store the MAC in that exact format in the directory attribute.
Note3: If the PC has multiple interfaces, then need to add all interface MAC in to the attribute
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Perfect. Thank you Hosuk.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Have problems repeating the same configuration with ISE 2.3
Can you suggest me where can be the problem? I tried to look to the debug of RADIUS authentication, but do not see any additional attributes from my AD.