topic Re: Quarantine/Un-quarantine an endpoint by REST API of ISE in Network Access Control

Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Wed, 06 Oct 2021 18:15:35 GMT

hi Cisco,

I deployed one Cisco ISE VM(version 2.7.0) in VMware ESXi. I'm working on REST API of ISE. My requirement is to quarantine/un-quarantine the IP address of endpoints by REST API. Right now I have 2 questions:

1. I tried to use "/ers/config/ancendpoint/apply" to quarantine the MAC address of endpoint. The quarantine was successful. But if I only use the IP address of endpoint, I always get error code 500 and title is "

Session lookup failure". How can I quarantine one endpoint by its IP address?
2. I didn't find out descriptions about the REST API of un-quarantine in ISE SDK. I also looked up massive materials online but no lucky. How can I un-quarantine one endpoint (by IP address) by REST API?

Thanks a lot.

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

Mike.Cifelli — Wed, 06 Oct 2021 18:32:42 GMT

Take a look here to see if this could help: ISE MNT CoA API Tool - Cisco Community

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Wed, 06 Oct 2021 23:13:39 GMT

Thanks Mike. Your resolution is related to MNT API which doesn't work for my requirements(quarantine/un-quarantine endpoints).

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

Greg Gibbs — Thu, 07 Oct 2021 06:19:11 GMT

If you only have one ISE node, there should not be an issue with pulling session information like there might be with a separate MnT node.

Does ISE show the correct IP address in the Live Logs and Context Visibility for the specific MAC address?

Are you using the latest patch for 2.7? What does the payload of your API call look like?

I tested the following JSON payload in my lab with the 'ancendpoint/apply' call in ISE 3.0 p4 and it worked as expected. The API doco for this call in 2.7 is the same as 3.0, so a similar payload should work.

{
  "OperationAdditionalData" : {
    "additionalData" : [ {
      "name" : "ipAddress",
      "value" : "192.168.140.107"
    },
{
      "name" : "policyName",
      "value" : "ANC-Quarantine"
    }]
  }
}

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Sat, 09 Oct 2021 07:35:33 GMT

Hi Greg,

The version of my ISE is v2.7 patch 5 which should be the latest patch for V2.7.

The payload I requested is like this:

{

"OperationAdditionalData" : {

"additionalData" : [

{

"name" : "ipAddress",

"value" : "172.16.69.201"

{

"name" : "policyName",

"value" : "zhenhui"

} ]

}

I can see MAC and IP address of endpoints in Context Visibility. These endpoints and Cisco ISE itself have already been in the same AD.

But if we come to Live Logs and Live Sessions of Radius, there are nothing inside.

I'm not sure if the empty raises the error of "Session lookup failure". I am totally a fresh man for Cisco ISE. Could you tell me how can I successfully to execute REST API to quarantine endpoint like 172.16.69.201 in the next step?

Thanks so much

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

Greg Gibbs — Sun, 10 Oct 2021 22:07:02 GMT

If you're not seeing any RADIUS live logs/sessions, this is a bigger problem than the API. I would suggest reviewing the ISE Secure Wired Access Prescriptive Deployment Guide to compare it to your setup and ensure you have all the necessary RADIUS configuration applied to your switch.

Once ISE and the switch are correctly tracking the RADIUS sessions, the ANC Quarantine configuration is pretty simple.

You create an ANC Policy (in my case, called ANC-Quarantine) with the QUARANTINE action...

... create an AuthZ Profile that applies the controls you want (dACL, dVLAN, etc), and create an AuthZ policy or Global Exception rule that uses the Session·ANCPolicy EQUALS <policy name> matching condition and applies your AuthZ Profile.

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Tue, 12 Oct 2021 16:56:13 GMT

Thanks Greg. I'll review this guide. First of all, I want to ask 2 basic questions:

1. is it possible to have Radius session just between endpoints(let's say one Windows 10 endpoint) and ISE, especially when both of endpoints and ISE are VMs? Because our team is still investigating Cisco ISE. We don't want to make the investigation process too complicated, like introduce other network components into the network topology.

2. is it possible to un-quarantine endpoints by REST API in Cisco ISE? I looked up some documents on-line. Many of the documents mentioned ISE has no longer supported un-quarantine operation. Could you help me to check this point?

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

Greg Gibbs — Tue, 12 Oct 2021 21:35:12 GMT

Hi @zhaoz,

In response to your question:

I'm not sure I understand the question, but it sounds like you might be asking if it's possible to initiate a RADIUS directly between a Win10 VM and an ISE VM without a network device like a switch between them. That is not a standard feature of a client native supplicant. The supplicant talks 802.1x between the client and authenticator (e.g. switch) and the authenticator speaks RADIUS to the authentication server (ISE). There are some test software applications out there that can initiate a RADIUS request directly, but that is not the same as a true client. In my lab setup, I use the following:
- Win10 VM, connected to a separate vSwitch
- vSwitch using an isolated NIC for uplink
- Isolated NIC connected to my Cisco switch access port, configured for NAC
Yes, the API call for 'ancendpoint/clear' will remove the endpoint from the ANC Policy. This will remove the attribute for 'Session·ANCPolicy EQUALS <policy name>' and clear the session. The client will reauthenticate (it used to issue a CoA but, in ISE 3.0, I can see the endpoint session disappear from ISE and the switch for a few seconds and then a new session is created) and be authorised based on the non-ANC policy results.

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Thu, 14 Oct 2021 00:12:52 GMT

thanks @Greg Gibbs . You have inspired me so much. I went over the deployment guide you posted. Right now there is one session in Live Sessions. Woohoo! But, the most confused thing is: IP Address is empty. Could you help me to figure out what I missed?

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

Greg Gibbs — Thu, 14 Oct 2021 00:41:58 GMT

Is the endpoint getting an IP address? If not, you may need to ensure you have an 'ip helper' address configured on the VLAN interface to forward to your DHCP server.

If you're getting an IP on the endpoint, but ISE is not receiving the IP info from the switch you should look into your Device Sensor and IP Device Tracking configuration on the switch. Both are covered in that guide. If you're using an older switch and/or software, you might need to use different configs for those features. It would help to know what switch hardware/software you're using.

IP Device Tracking is responsible for capturing the IP address of the endpoint in the switch and mapping it to the MAC address, and Device Sensor is responsible for communicating that information to ISE via RADIUS accounting.

You can check what the switch knows using the following commands:

show ip device tracking interface <int>
!
show device-sensor cache interface <int>

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Thu, 14 Oct 2021 01:08:14 GMT

sorry, I forgot to mention one thing: the switch is from other vendor (Fortinet) rather than Cisco. Cause I have no authority to download the iso file of E8000v.

Moreover, the endpoint is getting an IP address.

Device Sensor and IP Device Tracking are introduced in the guide. But they are the features only developed by Cisco. Are there some ways to have IP address of endpoint across non Cisco switch(like Fortinet switch)?

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

Greg Gibbs — Thu, 14 Oct 2021 02:08:24 GMT

You would need to use the legacy method of enabling the DHCP Probe in ISE and forwarding DHCP requests from the clients to the ISE PSNs. See the ISE Profiling Design Guide for more information.

I'm not sure, however, if applying the ANC Policy will work properly with the Fortinet switch as I believe it still relies on support for Change of Authorization (CoA). ISE does not have a default Network Device Profile for Fortinet switches, so you will likely need to create a custom one as per this guide.

You might search the Community to see if others have tested ANC with Fortinet and/or have a working Network Device Profile for Fortinet that they can share. If not, you may need to seek help from the vendor for the proper settings. If you get a working Profile, please share it with the rest of the Community via the ISE Third-Party NAD Profiles and Configs page.

If you need to seek help from the Community on this, however, I would suggest starting a new one as this has strayed quite far from the original topic about the API calls.

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Thu, 14 Oct 2021 17:52:52 GMT

yep, fair enough. Thank you so much Greg.

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Mon, 01 Nov 2021 23:57:54 GMT

hi Greg,

I referenced your suggestions and got a big progress on the topic. right now IP address shows up there!

However, the AVPs of Disconnect Request sent from ISE didn't included the attributes I defined in Network Device Profiles. FortiSwitch is the 3rd party device which requires "User-Name" attribute included in CoA/Disconnect Request. This snapshot is the packets dumped from the built-in tcpdump tool of ISE: Diagnostic Tools > TCP Dump, I didn't find User-Name in AVPs of Disconnect Request.

But actually I created a new Network Device Profile named "FTNTWired" which includes User-Name attribute in Disconnect.

And applied this profile on Device Profile when configuring Network Devices.

I also created a new authorization profile named "ftnt_quarantine_profile" and applied the device profile in the box of "Network Device Profile" as well. furthermore I added Framed-IP-Address to Advanced Attributes Settings like below.

In Authorization Policy, I set condition to ftnt_quarantine which means ANC policy is quarantine, and applied ftnt_quarantine_profile on Results Profiles. when I sent one IP addr with ANC policy by REST API, I can see Hits was incremented by 1 like below.

To my understanding, "Hits" means the authorization policy is matched, right? But just like the packets showed above, neither User-Name nor Framed-IP-Address show up in AVP of Disconnect Request. Did I miss something?

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

ggmeza — Thu, 05 May 2022 12:59:16 GMT

Hi, how are you? Could you share with me how did you configure and which tool use to put mac address in quarantien through api? postman? curl?

Thanks.

Re: Quarantine/Un-quarantine an endpoint by REST API of ISE

zhaoz — Mon, 04 Jul 2022 18:43:46 GMT

hi,

I used Postman to call REST API. Basically you need to configure "Auth" by username and password, and set url and json data properly. For example, if you want to quarantine endpoints by mac address, set "name" to "macAddress". Simply reference the configuration below.

The docs of Cisco are very helpful.

ANC Endpoint - Cisco Identity Services Engine API Reference Guide, Release 3.0 - Document - Cisco DevNet