Users can be limited with MAC address groups (Endpoint Identity group in ISE terminology) to which they are allowed to add MAC addresses. Authorization is based on Active Directory Groups membership. In other words, the User has to be a member of a certain AD group in order to be allowed to add MAC addresses to certain MAC address group. If a User is not authorized to use a MAC address group, the group will not be listed in any workflow in the New Endpoint menu.
- Authorization is available only for the User role. Administrators are always allowed to add MAC addresses to all groups
- Active Directory groups used for MAC address group authorization can be different from the groups used to authorize users into XTENDISE
To configure authorization, navigate to Administration -> Groups Authorization. The list of groups is automatically synchronized with ISE at configured interval (Refer to Maintenance for more detail ). Click Edit to a group to configure Authorization.
User can use the edited group, if is a member of the Active Directory group listed in the field AD Groups(users) mapping
On the edit page you can modify the following fields:
Endpoint Validity - Enter the maximum number of days a user can enter when adding a MAC address. This option is only valid for GUEST and BYPASS workflows. Validity of 0 means unlimited.
AD Groups(users) mapping - Enter a comma-separated Active Directory group names or usernames. A user can only use this MAC address group if he is a member of any AD group listed in this field. You can also enter a user's username.
Wokflow - The edited group will be available in the selected workflow.
If no group is specified in the AD Groups(users) mapping field, users will not be allowed to use this group and the group will be only available for administrators.