Group Authorization

Users can be limited with MAC address groups (Endpoint Identity group in ISE terminology) to which they are allowed to add MAC addresses. Authorization is based on Active Directory Groups membership. In other words, the User has to be a member of a certain AD group in order to be allowed to add MAC addresses to certain MAC address group. If a User is not authorized to use a MAC address group, the group will not be listed in any workflow in the New Endpoint menu.

To configure authorization, navigate to Administration -> Groups Authorization. The list of groups is automatically synchronized with ISE at configured interval (Refer to Maintenance for more detail ). Click Edit to a group to configure Authorization.

User can use the edited group, if is a member of the Active Directory group listed in the field AD Groups(users) mapping

On the edit page you can modify the following fields:

Endpoint Validity - Enter the maximum number of days a user can enter when adding a MAC address. This option is only valid for GUEST and BYPASS workflows. Validity of 0 means unlimited.

AD Groups(users) mapping - Enter a comma-separated Active Directory group names or usernames. A user can only use this MAC address group if he is a member of any AD group listed in this field. You can also enter a user's username.

Wokflow - The edited group will be available in the selected workflow.