https://community.cisco.com/t5/network-access-control/ise-eps/m-p/3838371#M473866 <P>Hey Terry,</P> <P>&nbsp;</P> <P>What version of Cisco Firepower are you using?</P> <P>&nbsp;</P> <P>Do you have your pxGrid remediaton instance configured on Firepower, have you setup your quarantine by source ip address &nbsp;remediation policies and assigned them to your Firepower quarantine policies and configured your Firepower quarantine rules?</P> <P>&nbsp;</P> <P>Firepower will trigger an automated mitigation action via pxGrid, you will want to have your Session:EPSStatus:Quarantine ISE authorization policy configured.</P> <P>&nbsp;</P> <P>Both ISE authz Session:EPSStatus:Quarantine rules and ISE ANC policies (port-shut, port-bounce, quarantine) are Adaptive Network Control (ANC) mitigation actions. &nbsp; &nbsp;Session:EPSStatus:Quarantine is considered ANC 1.0, Firepower subscribes the pxGrid EndpointProtection Service Topic to perform this mitigation action. &nbsp;ISE ANC policies are considered ANC 2.0, pxGrid clients like Stealthwatch 7.0 subscribe to &nbsp;the pxGrid AdaptiveNetworkControl topic to perform these mitigation actions.. &nbsp;Firepower, even though, they also subscribe to the pxGrid AdaptiveNetworkControl, DO NOT use ISE ANC policies, they still use Session:EPSSTATUS:Quarantine policies.</P> <P>&nbsp;</P> <P>Firepower 6.0 does not support ANC mitigations via pxGrid.</P> <P>&nbsp;</P> <P>If you have additional questions, please email me directly.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>John</P> <P>jeppich@cisco.com</P> Mon, 15 Apr 2019 01:06:48 GMT jeppich 2019-04-15T01:06:48Z https://community.cisco.com/t5/network-access-control/ise-eps/m-p/3838022#M473864 <P>Hi</P><P>&nbsp;</P><P>I'm currently trying to setup RTC between FMC &amp; ISE which looks like it is failing on the ISE side.</P><P>To simplify things I'm trying to manually implement device quarantine using 'Session:EPSStatus equals Quarantine' as a condition under global exceptions which is linked to an authorization profile that will place the device into a VLAN - this doesn't work. However, if I use 'Session:ANC equals QUARANTINE' (QUARANTINE being a policy with an ANC action of QUARANTINE) it works as expected.</P><P>&nbsp;</P><P>When I then test the RTC setup with either the EPS or ANC options (or even both with an OR statement) it doesn't work. On the FMC I can see the triggered event listed under 'Analysis &gt; Correlation Events' and I can see the pxgrid connection under 'System &gt; Syslog'.</P><P>On ISE under 'Administration &gt; pxGrid Services &gt; All Clients' I can see the 'iseagent' client online with 'ANC,EPS' listed under 'Client Group(s)'.</P><P>&nbsp;</P><P>A few questions:</P><P>&nbsp;</P><P>- I'm running ISE version 2.3 - is the 'EPSStatus' condition supported with 2.3?</P><P>- My understanding is that FMC - ISE RTC only supports EPS and not ANC - is this correct?</P><P>- If both the answers to the above are yes - does anyone have an idea why the manual quarantine option using 'EPSStatus' may not be&nbsp; working?&nbsp;</P><P>&nbsp;</P><P>Kind Regards</P><P>T</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 13 Apr 2019 11:19:33 GMT https://community.cisco.com/t5/network-access-control/ise-eps/m-p/3838022#M473864 Terry 2019-04-13T11:19:33Z https://community.cisco.com/t5/network-access-control/ise-eps/m-p/3838371#M473866 <P>Hey Terry,</P> <P>&nbsp;</P> <P>What version of Cisco Firepower are you using?</P> <P>&nbsp;</P> <P>Do you have your pxGrid remediaton instance configured on Firepower, have you setup your quarantine by source ip address &nbsp;remediation policies and assigned them to your Firepower quarantine policies and configured your Firepower quarantine rules?</P> <P>&nbsp;</P> <P>Firepower will trigger an automated mitigation action via pxGrid, you will want to have your Session:EPSStatus:Quarantine ISE authorization policy configured.</P> <P>&nbsp;</P> <P>Both ISE authz Session:EPSStatus:Quarantine rules and ISE ANC policies (port-shut, port-bounce, quarantine) are Adaptive Network Control (ANC) mitigation actions. &nbsp; &nbsp;Session:EPSStatus:Quarantine is considered ANC 1.0, Firepower subscribes the pxGrid EndpointProtection Service Topic to perform this mitigation action. &nbsp;ISE ANC policies are considered ANC 2.0, pxGrid clients like Stealthwatch 7.0 subscribe to &nbsp;the pxGrid AdaptiveNetworkControl topic to perform these mitigation actions.. &nbsp;Firepower, even though, they also subscribe to the pxGrid AdaptiveNetworkControl, DO NOT use ISE ANC policies, they still use Session:EPSSTATUS:Quarantine policies.</P> <P>&nbsp;</P> <P>Firepower 6.0 does not support ANC mitigations via pxGrid.</P> <P>&nbsp;</P> <P>If you have additional questions, please email me directly.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>John</P> <P>jeppich@cisco.com</P> Mon, 15 Apr 2019 01:06:48 GMT https://community.cisco.com/t5/network-access-control/ise-eps/m-p/3838371#M473866 jeppich 2019-04-15T01:06:48Z