topic Re: Cisco ISE - ANC leveraging integrated AMP - Isolation in Network Access Control

Cisco ISE - ANC leveraging integrated AMP - Isolation

Script Kiddie — Tue, 02 Apr 2024 07:38:56 GMT

Dear community,

I have integrated Cisco ISE and AMP with intention to leverage threat centric data in authorization rules.

I can see threat centric data and compromised endpoint within the ISE after executing false-exploit, like status "Painful", etc. but I don't see any attributes to leverage this in authorization policy.
I'm able to trigger manual ANC based on this event, which is okay, but I need automated response and I thought this will work.

My idea is (for example): Endpoint is being exploited and has Cisco AMP installed, Cisco AMP sends this threat centric data to ISE, ISE has authorization policy says "if threat level = painful & endpoint in Admin Lan" Endpoint will be assigned to quarantine VLAN or ANC will be triggered.

My problem is that I don't see attributes above as threat level = painful or anything related to this AMP threat centric data that I can utilize in authorization policies to Isolate automatically.

Re: Cisco ISE - ANC leveraging integrated AMP - Isolation

Arne Bier — Mon, 13 May 2024 23:54:02 GMT

This might be a question also to the Cisco TAC. I don't have AMP integration and I think one needs that integration to populate the ISE RADIUS Dictionary. If ISE Policy Set Authorization conditions are based on what is contained in the Dictionary. Have a look around in

Policy -> Policy Elements > Dictionaries > System and explore any folders regarding ANC/AMP etc.

Re: Cisco ISE - ANC leveraging integrated AMP - Isolation

Greg Gibbs — Tue, 14 May 2024 02:13:43 GMT

The following list of Dictionaries/Attributes was shared as a reference for the ISE Webinar on the ISE Threat Centric NAC Service. These are the only attributes that can be used within ISE policies. If you have not done so already, I would suggest reviewing that Webinar for more information on the capabilities.