ISE can pull list of MAC addresses from the user DB such as AD, LDAP, SQL, or internal DB and compare it during authorization. This allows network admins to enforce user to specific endpoint for network access. Doing this via dynamic attribute has many benefits, one of which is that it reduces the number of policy rules when used correctly. Imagine if you want to create 10 different MAC address mappings for 10 different users. In the traditional way, you would create 10 separate rules that reads “If User A, then match MAC address X”, “If User B, then match MAC address Y”… However, with dynamic attributes, you can simply create one rule that reads “If user attribute includes MAC address that is connecting, then permit access”. AD attributes can be pre-populated with list of MAC addresses and can be dynamically called upon as user authenticates. This video shows how to create users in the AD with such attribute and also show you how to configure ISE policy to use it for authorization and lastly confirm the operation.

Note 1: I used ‘Description’ attribute from AD which is not an indexed attribute which works in test environment. However, in a real world environment make sure to use an indexed attribute for fast retrieval of attribute value.

Note 2: Cisco device uses aa-aa-aa-aa-aa-aa format for the mac address in the Calling-Station-ID field. If trying this with 3rd party network device, you will need to find out which RADIUS attribute contains the MAC address and in what format it is being sent and store the MAC in that exact format in the directory attribute.

Note3: If the PC has multiple interfaces, then need to add all interface MAC in to the attribute