topic Re: From ISE identity management, in Network Access Control

How to block a endpoint PC in Cisco ISE system?

musikman1988 — Fri, 21 Feb 2020 13:10:38 GMT

Hi All,

Our company deployed Cisco ISE system to control PC clients access LAN.

I have a question:

I'd know a MAC address and I want to deny this MAC address to access our company LAN?

What step should I do it?

Thanks a lot !!

BR Frank

From ISE identity management,

Saurav Lodh — Fri, 09 May 2014 11:30:56 GMT

From ISE identity management, open Endpoints. IF endpoint is there ( search Endpoint using MAC ), select the endpoint and edit. Opt static group assignment and assign the endpoint as Blacklisted. Now from Authorization policy, make one policy like , if condition < blacklisted > then permissions < deny >

Hi Salodh,As before, I just

musikman1988 — Sat, 10 May 2014 02:33:15 GMT

Hi Salodh,

As before, I just find MAC address and assign it as "BLACKLIST" group, but I didn't define "BLACKLIST" policy, I think this is the reason for my failure.

Thanks a lot.

/Frank

Re: How to block a endpoint PC in Cisco ISE system?

ZacGomez — Thu, 02 Jan 2020 23:59:57 GMT

Profile the device as blacklist

1.2 Administration->Identity management->Endpoint-(searchmac)->In network search Blacklisted

2.X Administration > Identity Management > Groups > Endpoint Identity Groups->Blacklisted-Edit->add

Link: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_010101.html

Regards

Re: From ISE identity management,

haseeb.shaukat — Mon, 04 Apr 2022 10:46:49 GMT

I want to achieve this use case via REST APIs. Is there any suggestion?

Re: From ISE identity management,

thomas — Mon, 04 Apr 2022 19:27:04 GMT

@haseeb.shaukat, please see :

You may always re-use the default Blacklist / Blocked List endpoint group in ISE.

You may need to update/change/create an Authorization Rule in ISE depending on your policy sets and authorization rules.

Re: From ISE identity management,

haseeb.shaukat — Tue, 05 Apr 2022 06:15:54 GMT

@thomas Thanks for the suggestions. I have studied APIs you referenced, but have some confusions:
1) Does Endpoint Group with name "BLACKLIST" exists by default in ISE? If no, creating a endpoint group with name "BLACKLIST" is suffice? I mean there is no option available to set as an action for a endpoint group e.g action=deny/allow traffic, only naming a group "BLACKLIST" is enough?
2) Can we remove an endpoint from blacklist endpoint group? If yes, which APIs i can use?

3) Can i search endpoints by ip-address via APIs and get their mac-addresses ?
4) What kind of authorization rule is required to make it work?

Re: From ISE identity management,

thomas — Tue, 05 Apr 2022 08:15:18 GMT

> Does Endpoint Group with name "BLACKLIST" exists by default in ISE?

Yes but it was changes in ISE 3.0 I believe to BLOCK LIST. You may create your own group to do the same thing.

> Can we remove an endpoint from blacklist endpoint group? If yes, which APIs i can use?

Yes. Delete the endpoint or change it's endpoint group. Which API resource you use depends on your approach.

> Can i search endpoints by ip-address via APIs and get their mac-addresses

Please see the Monitoring REST APIs for endpoint and IP based queries. You cannot do such a query for all known ISE endpoints today.

Session Counters
https://ise/admin/API/mnt/Session/ActiveCount
https://ise/admin/API/mnt/Session/PostureCount
https://ise/admin/API/mnt/Session/ProfilerCount

Session Lists
https://ise/admin/API/mnt/Session/ActiveList
https://ise/admin/API/mnt/Session/AuthList/{options}

Session Attributes
https://ise/admin/API/mnt/Session/MACAddress/{mac}
https://ise/admin/API/mnt/Session/UserName/{username}
https://ise/admin/API/mnt/Session/IPAddress/{nas-ip}
https://ise/admin/API/mnt/Session/Active/SessionID/{audit-session-id}/0

Others
https://ise/admin/API/mnt/Version
https://ise/admin/API/mnt/FailureReasons
https://ise/admin/API/mnt/AuthStatus/MACAddress/{mac}/{seconds}/{records}>/All
https://ise/admin/API/mnt/AcctStatusTT/MACAddress/{mac}/{seconds}
https://ise/admin/API/mnt/CoA/Reauth/{psn}/{mac}/{reauthtype}/{nas-ip}/{dst-ip}
https://ise/admin/API/mnt/CoA/Disconnect/{psn}/{mac}/<disconnecttype>/{nas-ip}/{dst-ip}

> What kind of authorization rule is required to make it work?

Have you looked at the ISE Default Policy Set and the Wireless Black List authorization rule in ISE? Like that but you do not need to limit it to Wireless Access. See Static Endpoint Group(s) in .

Status

Rule Name

Conditions

Profiles

Security Groups

Hits

Actions

✔

Wireless Block List Default

AND	Wireless_Access IdentityGroup-Name EQUALS Endpoint Identity Groups:Blocklist

Block_Wireless_Access

Select from list

⚙

Re: How to block a endpoint PC in Cisco ISE system?

jakub.kacer — Wed, 27 Jul 2022 11:27:49 GMT

Hi,

check out the following tool which uses ISE API for MAC address management:

https://www.xtendise.com/

Jakub

Re: From ISE identity management,

asancheztellez — Wed, 12 Apr 2023 21:05:55 GMT

This is a very similar issue we have... an android device lost with user AD credentials in it attempting every minute to authenticate and causing the AD user account locked out. I added the mac address to a deny rule at the top in the authentication policy... but still issue occurred.... and was able to confirm this in the Operations -> Live Logs when filtering the mac address.... so i opened a TAC case and this is what they told me: "
"ISE is not able to block by MAC address without affecting the user because the device is using user authentication as its method, so when it tries to log in and fails (because of the policy to deny that MAC address) then blocks the user too, affecting the customer's real user. From ISE there is no way to block a MAC address before starting the process of authenticating, thats why the customer needs to get the MAC address to be blocked from the network access device (WLC).
Since the issue is that the endpoint has set as authentication method user authentication, and we dont have access to that endpoint, we wont be able to block the MAC address without affecting the user."

Is this legit??