Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Machine Attribute Check in ISE. CAN IT BE DONE?


I'm trying to build a BYOD policy in ISE 1.2. I would like ISE to get machine attributes as part of the authorization policy. Can this be done? I'm not talking about machine authentication. I need something that could be checked at anytime.

Thanks for any help!         


Machine Attribute Check in ISE. CAN IT BE DONE?

Not sure what you mean by machine attributes, are you talking about hardware settings on some device , or attributes on a machine account in windows active directory ?

New Member

Machine Attribute Check in ISE. CAN IT BE DONE?

Something I can use on computers to differentiate a corporate asset from a BYOD asset.

Machine Attribute Check in ISE. CAN IT BE DONE?

Well, if you are using your regular internal CA to issue certs for corp. assets, and another CA for BYOD via ISE provisioning for example, you can use elements from your devices cert in authorization rules.

Something like :

Corp cert issuer=internalca.corp.local

Byod cert issuer=byod.whatever.local


New Member

Machine Attribute Check in ISE. CAN IT BE DONE?

The devices are using PEAP

Machine Attribute Check in ISE. CAN IT BE DONE?

I have seen in ISE 1.2 configuration guide that we can do the Machine authentication using AD, and once the Machine authenticate and authorised, profiling may happen and we can see the attributes: Please check the below link:


Machine Attribute Check in ISE. CAN IT BE DONE?


Cisco  ISE retrieves user or machine attributes from Active Directory for use  in authorization policy rules. These attributes are mapped to Cisco ISE  policies and determine the authorization level for a user or machine.  Cisco ISE retrieves user and machine Active Directory attributes after  successful authentication and can also retrieve attributes for an  authorization that is independent of authentication.

Cisco  ISE performs user and group membership lookups via LDAP to an Active  Directory. Group membership is used to map sponsor users to the  corresponding sponsor group in ISE. And if the user is not directly in  an Active Directory group, but is a member of a group that is a member  of the Active Directory group (nested groups), the user authorization is  rejected.

User  authentication on an authorization policy fails if the rule contains an  Active Directory group name with special characters such as  /!@\#$%^&*()_+~

you can also follow the below link_


Machine Attribute Check in ISE. CAN IT BE DONE?

Machine Access Restriction for Active Directory User  Authorization

Cisco ISE contains a Machine  Access Restriction (MAR) component that provides an additional means of  controlling authorization for Microsoft Active Directory-authentication  users. This form of authorization is based on the machine authentication  of the computer used to access the Cisco ISE network. For every  successful machine authentication, Cisco ISE caches the value that was  received in the RADIUS Calling-Station-ID attribute (attribute 31) as  evidence of a successful machine authentication.

Cisco ISE retains each  Calling-Station-ID attribute value in cache until the number of hours  that was configured in the "Time to Live" parameter in the Active  Directory Settings page expires. Once the parameter has expired, Cisco  ISE deletes it from its cache.

When a user authenticates from an  end-user client, Cisco ISE searches the cache for a Calling-Station-ID  value from successful machine authentications for the Calling-Station-ID  value that was received in the user authentication request. If Cisco  ISE finds a matching user-authentication Calling-Station-ID value in the  cache, this affects how Cisco ISE assigns permissions for the user that  requests authentication in the following ways: the Calling-Station-ID value  matches one found in the Cisco ISE cache, then the authorization profile  for a successful authorization is assigned. the Calling-Station-ID value is  not found to match one in the Cisco ISE cache, then the authorization  profile for a successful user authentication without machine  authentication is assigned.

Please check the below link.

New Member

Machine Attribute Check in ISE. CAN IT BE DONE?

Step 1Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2Click the Attributes tab.

Step 3Choose Add > Add Attribute to add a new attribute or choose Add > Select Attributes From Directory to choose a list of attributes from the directory.

NoteWhen you enter an example user name, ensure that you choose a user from the Active Directory domain to which the Cisco ISE is connected.When you choose an example machine to obtain machine attributes, be sure to prefix the machine name with “host/.” For example, you might use host/myhost.

Step 4Enter a name for a new attribute if you choose to add an attribute.

Step 5Check the check boxes next to the attributes from Active Directory that you want to select, and click OK.

Step 6Click Save Configuration.If you choose to add attributes from directory, enter the name of a user in the Example User field, and click Retrieve Attributes to obtain a list of attributes for users. For example, enter admin to obtain a list of administrator attributes. You can also enter the asterisk (*) wildcard character to filter the results.

CreatePlease to create content