Create Device Groups

There are a few ways to create a device group: 1. Add a device group manually from the frontend GUI 2. Import a device group from Cisco ISE, using the frontend GUI 3. Add a device group using the API calls directly to the Device Portal backend

From the Device Groups page, a list of all available groups are shown, and it is possible for administrators to Add or to Import new device groups.

Note

Only Administrators of the Device Portal can create device groups.

A device group has the following parameters:

  • Name

    • the name is a unique identifier for the device group, and must follow the rules of Cisco ISE, which will say, it can not contain any space in the name or any country specific characters.

    • the name is the “endpoint identity group name” created in Cisco ISE

  • Description

    • the description is a free text field to describe the device group

  • Alias

    • the field is controlled by the application configuration setting “Use Name Alias”. If this is enabled then an Alias field is available for the device group

    • the alias field is just that a name alias for the device group, used to show and identify the device group for users

  • Default Group Key Type

    • This field defines the default setting for all devices placed inside this device group.

    • device : a device must by default hold a device iPSK Key

    • group : a device will by default use the device group defined group PSK Key

    • mab : a device is a wired device using MAC Authentication Bypass (MAB)

  • Group PSK Key

    • holds the device groups group-psk key, devices can inherit

  • Default Expiry Timeout

    • the field is controlled by the application configuration setting “Enable Expiry Timeout”. If this is enabled then the expiry timeout is available for the device group

    • the default expiry timeout must be configured in number of days between 1 - 9999. 0 is used if the device group should not use expiry timeout by default

  • Default Idle Timeout

    • the field is controlled by the application configuration setting “Enable Idle Timeout”. If this is enabled then the idle timeout is available for the device group

    • the default idle timeout must be configured in number of days between 1 - 9999. 0 is used if the device group should not use idle timeout by default

  • Access Permissions

    • holds a list of all the aaa_group, and by selecting a aaa_group, uses in this security group are grated access to this device group

  • Interface

    • Configure the access interface used by this device group to give devices access to the network

  • Quarantine Interface

    • Configure the quarantine interface used by this device group to restrict devices access to the network

  • Enable User Edit
    • when enabled, then users with access to this device group is allowed to edit the following device group settings:

      • Description

      • Default Expiry Timeout

      • Default Idle Timeout

      • Group PSK Key

  • Create Catch All Policy Profile

    • the field is controlled by the application configuration setting “allow_unrovisioned”

    • this feature will create an ACCESS_ACCEPT profile in the Cisco ISEm which can be used to grant access to unprovisioned devices in this device group, if the device knows the group psk key

Name, Default Group Key Type, Interface and Quarantine Interface are mandatory fields which must be used when creating a device group.

Add group

When the “Add group” button is selected, you will create a device group by manually entering the group informations.

Import from ISE

When the “Import from ISE” button is selected, you will be presented with a list of all “endpoint identity groups” in ISE. Select one to import, will read the name and the description from ISE, and you will enter the remainder of the group information.

Action Menu

Four action menu options are available:

  • Edit

    • selecting this action menu will open the edit device group dialog box

  • Delete

    • selecting this action menu will provide a delete device group dialog box

  • Import

    • selecting this action menu will import all devices which exist in Cisco ISE and are associated with this device group

  • Synchronize

    • selecting this action menu will create a report of device differences between Cisco ISE and the Device Portal for this device group

Editing Device Groups

When seletecting edit action a dialog box will appear, where it is possible to change settings after the device group has been created.

Warning

If you change interface or SGT after devices has been added to the device group, then thoose devices will not get the new interface or SGT. For know you have go into Devices menu and for each devices member of the device group, click edit action and in the dialog box click save to trigger an interface change in backend.

It is a know problem which we will fix in an upcoming release of DevicePortal.