Skip to content

Cisco ISE

Configure Cisco Identity Services Engine (ISE) to admit the RTA appliance via MAC Authentication Bypass (MAB), place it in an authorized VLAN with outbound internet access, and exempt it from posture checks.

Note

For the full explanation of why NAC blocks the appliance and the three-step fix (MAB allowlist → authorized VLAN → posture bypass), see Network Access Control. For upstream connectivity requirements (the endpoint and port the appliance must reach), see Connectivity Troubleshooting.

1. Get the appliance MAC address

Obtain the MAC address before making any ISE changes.

  • Hypervisor/cloud console — open the VM's NIC settings. The MAC is listed there without powering on the appliance.
  • DHCP lease table — if the appliance already got a restricted-VLAN lease, look up its MAC in your DHCP server's lease log.
  • Switch MAC tableshow mac address-table interface <port> on the access switch will show whatever the port learned.

Hyper-V: confirm the MAC the switch actually learns

Hyper-V deployments enable MAC address spoofing on the appliance NIC so that L2 bridging works. The MAC the switch learns may differ from what the Hyper-V manager shows. Check the switch MAC table or the DHCP lease to be certain which address to allowlist.

Write the MAC down in AA:BB:CC:DD:EE:FF (colon-separated, lowercase) format — that is the format ISE expects in endpoint records.

2. Create an endpoint identity group

Group the appliance in its own Endpoint Identity Group so the authorization rule stays narrow and the entry is easy to remove after the engagement.

  1. In the ISE admin UI navigate to Administration → Identity Management → Groups → Endpoint Identity Groups.
  2. Click Add.
  3. Name the group RTA-Appliances (or your site naming convention).
  4. Save.

Next, register the appliance MAC as an endpoint in that group:

  1. Navigate to Context Visibility → Endpoints (or Administration → Identity Management → Identities → Endpoints).
  2. Click Add.
  3. Enter the MAC address in the MAC Address field.
  4. Set Identity Group to RTA-Appliances.
  5. Save.

3. MAB and authorization policy (VLAN assignment)

Switch-side MAB (client responsibility)

The access switch must be configured to fall back to MAB for ports where the appliance connects. A typical IOS/IOS-XE snippet looks like:

interface GigabitEthernet0/1
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator

This is the customer's switch configuration — ISE is the RADIUS server the switch talks to.

ISE policy set — authentication

Confirm your relevant Policy Set (or the Default policy set) has a MAB authentication rule that queries the Internal Endpoints identity store. The built-in ISE default MAB rule typically looks for:

  • Condition: Wired_MAB or Wireless_MAB (depending on access type)
  • Identity Source: Internal Endpoints

No change is usually needed here unless your policy set uses a custom authentication order.

Authorization rule

Add an authorization rule that matches the RTA-Appliances group and assigns the correct VLAN:

  1. In your Policy Set, open the Authorization Policy section.
  2. Click Insert row above (or Add Rule) to create a new rule above any catch-all/deny rules.
  3. Set the Rule Name to RTA-Appliances-MAB (or similar).

  4. Set the Conditions to:

    IdentityGroup:Name EQUALS Endpoint Identity Groups:RTA-Appliances

  5. Set Results → Profiles to an Authorization Profile that assigns the target VLAN (see below).

  6. Save and push the policy.

Create (or reuse) an Authorization Profile

If you don't have an existing profile for managed appliances with VLAN assignment:

  1. Navigate to Policy → Policy Elements → Results → Authorization → Authorization Profiles.
  2. Click Add.
  3. Name it RTA-Appliance-Access.
  4. Under Common Tasks, check VLAN and enter the VLAN ID or VLAN name for the authorized segment that has outbound internet access.
  5. Under Common Tasks, optionally check DACL Name and select a permit-all downloadable ACL if your network enforces DACLs. A permit-all DACL is appropriate for this appliance — it needs unrestricted egress to its management endpoint.
  6. Leave the Security Group field blank (or set it per your SGT policy — the appliance does not interpret SGTs but they may apply at uplinks).
  7. Save.

4. Posture bypass

The RTA has no ISE posture agent. Any authorization rule that requires posture compliance will hold the session in a pending/unknown posture state and may redirect it to a remediation VLAN.

Ensure the RTA-Appliances-MAB authorization rule and its profile:

  • Do not include a posture condition (Session:PostureStatus EQUALS Compliant or similar).
  • Do not use a redirect ACL that points to the ISE posture portal.
  • Grant authorization immediately on MAB success, treating the endpoint as exempt from posture.

If your policy set has a global posture unknown/non-compliant rule that catches sessions before they reach your appliance rule, make sure the RTA-Appliances group condition either takes priority (is evaluated first) or is included as an exception in that global rule.

5. Apply and verify

After saving the policy, new authentications will use the updated rules. Existing sessions may need to be refreshed:

# On the access switch — bounce the port to force re-authentication
interface GigabitEthernet0/1
 shutdown
 no shutdown

Or trigger a CoA (Change of Authorization) from ISE if your switch supports it: Context Visibility → Endpoints → [select endpoint] → Actions → Re-Authenticate.

Confirm the session in ISE

  1. Navigate to Operations → RADIUS → Live Logs.
  2. Filter by the appliance MAC address.
  3. Confirm the authentication shows:
  4. Identity Group: RTA-Appliances
  5. Authorization Profile: RTA-Appliance-Access
  6. VLAN assigned correctly
  7. No posture redirect

Confirm connectivity from the network segment

From a host on the authorized segment (or from the appliance itself once it has a DHCP lease), verify the required outbound connection:

nc -vz connect.remotetesting.secureworks.com 443

A successful connection confirms the appliance can reach its management endpoint. The RTA tunnel should come up within a minute or two of the port authorizing.

Remove the allowlist entry after the engagement

MAB authorizes by MAC address, which can be spoofed. Remove the RTA-Appliances endpoint record (and optionally the identity group) when the engagement ends to prevent unauthorized access to the authorized VLAN.