![]() Ubiquiti was an outlier in trying to bring enterprise features to the consumer market Consumer hardware is a brutal race to the bottom, as lay consumers aren't qualified to compare options based on anything but price and UI. Generally, halfway decent wireless APs are all targeted at the enterprise market. All the new unallowed endpoints will appear in the endpoint database (but being denied), that's something we cannot change, at least on my experience.Disclaimer: worked for Meraki (now Cisco Meraki) for several years. Then create a default rule denying access, so eveything new will be locked out. In general terms you should be adding all your old endpoints to an endpoint group that will be referenced by a rule that will allow these. Probably I'm not explaining very well this. Endpoint gets populated with all the endpoints ever seen by ISE, no matter authorized or not. If you purge and settle the database in monitor mode, you'll have all the endpoints in the database anyways. You'll be locking out everything connected to the network and yet unknown for ISE.ĥ0k endpoints for an 8 node deployment is not that much, so I would not expect any performance issues there. Once you have this done, you can then set a deny entry for anything new. ![]() Then you can set a rule to match this endpoint group and authorize these as you want. I meant that the endpoint database you have, can be exported, purged and then you can create a new endpoint group and import the old entries into it, using the csv template ISE provides. We accept that in this interim period, management of that whitelist will be a royal pain in the neck!! If I get over that issue, can ISE Policy handle a whitelist of many thousands of devices?Ĥ. I cant see anywhere how to import them into a new whitelist other than individually per MAC address. You can export from Administration\Identity Management\Identities\Endpoints all the MAC addresses ever known to ISE. ![]() There is NO wired guest access service (Wireless is not under ISE control yet) and there is acceptance that this list might currently contain illegal devices. The rationale is that it will prevent any new unauthorised device access and we will then get time to sort out proper policies for those currently connnected. ![]() So I have been asked to enable the policies I have tested, and below those but above the Default Policy create a catch-all policy to use a whitelist of all mac addresses currently known to the network. I have policies tested/prepared for standard DOT1x laptops/desktops etc but not for all other legacy/non-standard MAB devices yet. I have to move from Monitor Mode for wired devices quicker than anticipated. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |