Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
1
Helpful
2
Replies

Access to "My Device" Portal

Go to solution
lnw-team
Level 1
Level 1

‎10-30-2023 12:19 AM

Hello,

I would like to create additional "My Device Portal" on Cisco ISE. I would like only on-site support people to access the portal so that  they can add MAC-address of out-of-the-box device. The above-mentioned MAC address should be addded to Endpoint Identity Group that will be used in authorization policy "Clients Provisioning". How can I limit such access to certain users only? Can  I have several device portals on one Cisco ISE deployment with one IP address? Privileges and the group MAC addresses are added to dependns on portal and user who is logged on. 

Thank you in advance! 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-06-2023 04:31 PM

Using the ISE endpoint REST API for adding/updating/deleting endpoints to Endpoint Identity Groups might be a much faster and easier solution. The only challenge is the Role-Based Access Control (RBAC) for ISE APIs - they are either Read-Only or Read-Write today (through 3.3).

The other option would be to have some kind of web application for them to input the necessary provisioning details and then the app would perform the REST call for them.

And yet another option would be to use a different onboarding process through something like ServiceNow or other CMDB/inventory system and integrate that with ISE using JSON data tables as shown in ▷ ISE pxGrid Direct with CMDBs to use the provisioning details in your policy.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-30-2023 03:33 PM

The My Devices portal was intended to provide for users to register personal BYO devices that are not capable of using the ISE BYOD enrolment flow. The built-in configuration only provides the ability to authenticate users based on an Identity Source Sequence, not specifically limiting to AD groups.

AFAIK, this old trick to have ISE loopback to itself as a RADIUS Token server is the only way to achieve something similar.
https://community.cisco.com/t5/security-knowledge-base/ise-sponsor-amp-my-devices-authorization-on-secondary-attributes/ta-p/3641379

The MAC address registered via the My Devices portal is tied to the user logged in, so only that user would be able to see/modify the endpoint.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-06-2023 04:31 PM

Using the ISE endpoint REST API for adding/updating/deleting endpoints to Endpoint Identity Groups might be a much faster and easier solution. The only challenge is the Role-Based Access Control (RBAC) for ISE APIs - they are either Read-Only or Read-Write today (through 3.3).

The other option would be to have some kind of web application for them to input the necessary provisioning details and then the app would perform the REST call for them.

And yet another option would be to use a different onboarding process through something like ServiceNow or other CMDB/inventory system and integrate that with ISE using JSON data tables as shown in ▷ ISE pxGrid Direct with CMDBs to use the provisioning details in your policy.

0 Helpful
Customers Also Viewed These Support Documents