Hello all,

We are a new user of ISE and have been taking baby steps as we learn how things are configured and work. We have been using the sponsor portal for our guest users for a while and are preparing to pull the corporate access into the fold. Our pilot has been going well and other than a few issues that have arise since we upgraded to 1.3 things have been mostly good.

Our policies have been setup so that an endpoint identity group with the device MAC address is checked as part of the authorization policy to better guarantee the device has access to network resources rather than just rely on user information. I imported the MAC addresses from our LANSweeper server that collects device data in bulk form to get things started and usually one by one manually add additional MAC addresses as needed. I then repeat the import on a routine basis to capture any new assets as a preemptive measure to them connecting through ISE. We have endpoint identity groups for corporate assets, registered personal assets and then our vendor assets to verify what networks they connect to and receive their associated DACLs.

I am wondering if there is a way to automate this process similar to a BYOD process that the help desk could utilize to update the identity group or a way to give them rights to modify the groups without having full rights to the ISE cluster.

Brent

These systems are user devices. What management required was that only known / registered devices get connected to the network. This prevents even the corporate user from any device they want to the network using just a username and password with 802.1x. The policy is written to check the Corporate Assets Group and the AD group for corporate access. A different policy is written to check the Personal Assets group and the AD group for accessing limited resources with the personal device. That is when we came up with the Endpoint Identity Group but the issue now comes up with how to maintain the groups by other than the two of us that are setting up and maintaining the ISE system.

I did not know if something like the BYOD on boarding process could be setup to allow the help desk folks to get the system into the system and place the device directly into the appropriate Identity Group or go after the fact and add the MAC address to the Identity Group. Management wants to keep the access control out of the end users hands because of past issues with internet access from cell phones and personal laptops.

 Modifying the Endpoint Identity Group is basically what I do now. I get the notification after the user has attempted to connect so the system knows the MAC address so I simply go add it to the proper identity group. If the user has not attempted at least once to connect then I am unable to add the MAC address. It is as if the system does a search as part of the add process. I have seen no other way other than am import to get a single MAC address into the system from scratch.

I am also trying to find a way to search for  MAC address and determine what Endpoint Identity Group it may already be in.

Brent