Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2299
Views
15
Helpful
19
Replies

ISE 2.1 FMC 6.1 ANC Unquarantine

Go to solution
Daniel Lucas
Level 1
Level 1

‎02-01-2019 11:24 AM

How do you unquarantine an endpoint once FMC has instructed ISE to quarantine it? Manually entering the MAC address under 'Operations->Adaptive Network Control -> Endpoints -> EPS Unquarantine' doesn't do anything...it's also confusing because the endpoint list under Adaptive Network Control is empty:

Untitled.png

 

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎02-12-2019 07:53 AM

Hey Daniel,

 

You would need to select EPS Unquarantine, enter the MAC address you want to unquarantine and then submit.

 

FMC uses Session:EPStatus:Quarantine in the ISE auth global exception policy.  This is Adaptive Network Control (ANC) 1.0. FMC subscribes to the pxGrid EndpointProtectionService Topic using pxGrid 1.0.  

FMC does not use true ANC 2.0 policies that include ISE ANC policies: quarantine, port-shut, port-bounce

 

You can also create an unquaratine Policy from FMC to unquarantine directly from FMC (this was from Cisco Firesight, only use the policy section):  https://community.cisco.com/t5/security-documents/how-to-rapid-threat-containment-rtc-with-cisco-firesight-and-ise/ta-p/3627044

 

You can also unquarantine from the API from your browser:  https://{ipaddressofmnt}/API/eps/UnQuarantineByIP/{ipaddress}

 

If you have any questions, please email me directly.

 

Thanks,

John

jeppich@cisco.com

 

 

 

View solution in original post

19 Replies 19

Go to solution
Daniel Lucas
Level 1
Level 1

‎02-01-2019 01:03 PM

Seems like this should be something easy to do. Even deleting the endpoint out of the endpoint database doesn't remove the quarantine status.
I haven't tried creating a separate correlation policy in FMC to unquarantine the endpoint when it sees a certain connection event - mainly because that is a ridiculous way to have to unquarantine an endpoint..if you quarantine the endpoint and remove network access, how would any traffic reach the firepower appliance? And I would think the typical use-case for this feature would be to bump the endpoint off the network so an admin can run a virus scan, re-image the laptop, etc. and then get it back on the network. There has to be a way to manually unquarantine an endpoint in ISE otherwise this feature is useless.
0 Helpful

Go to solution
Daniel Lucas
Level 1
Level 1
In response to Daniel Lucas

‎02-04-2019 07:56 AM

^Bump
Has anyone got this working? Is unquarantine feature available in a later release? I have customer's potentially interested in this feature, but if the endpoint is forever marked as quarantined in ISE then that would severely limit its usefulness.
0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎02-04-2019 08:14 AM

Go to Context Visibility and revoke ANC policy:

Screen Shot 2019-02-04 at 10.13.20 AM.png

0 Helpful

Go to solution
Daniel Lucas
Level 1
Level 1
In response to howon

‎02-04-2019 08:52 AM

Option is greyed out - is that only available when you assign an ANC policy from within ISE itself?
0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Daniel Lucas

‎02-04-2019 09:02 AM

Which option is greyed out? The ANC or Revoke function? If you have plus license (Which I assume you do since using RTC) it should be available to you.

0 Helpful

Go to solution
Daniel Lucas
Level 1
Level 1
In response to howon

‎02-06-2019 01:17 PM - edited ‎02-06-2019 01:19 PM

Sorry mis-spoke - the option isn't greyed out, but I get an error stating that "No policy applied to specified mac".

esp-unquarantine-error.PNG

 

0 Helpful

Go to solution
Daniel Lucas
Level 1
Level 1
In response to Daniel Lucas

‎02-11-2019 11:31 AM

Any ideas on this? If i disable my quarantine global exception rule, and re-auth I can get my endpoint back on the network - but as soon as I re-enable the quarantine rule and re-auth I match it again. It's like there is a cache that needs cleared, but I dunno how to clear it - rebooting ISE doesn't clear it either.
Is this maybe something that is available in a later version?
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-11-2019 12:51 PM

I have seen this same behavior before. Does ISE throw an error when doing this: Manually entering the MAC address under 'Operations->Adaptive Network Control -> Endpoints -> EPS Unquarantine' doesn't do anything? This process should work immediately if your ISE node is configured on your NAD as a dynamic author. Also, ensure that udp port 1700 (for CoA) is not blocked anywhere between ISE and your NAD. HTH!

Go to solution
Daniel Lucas
Level 1
Level 1
In response to Mike.Cifelli

‎02-11-2019 01:36 PM

No warning or error given - I get a message saying

"Server Response

<MAC> has been saved successfully"

But when I check the log no CoA was issued - and the live session still shows my endpoint having Quarantine ANC status:

anc.PNG

If I force a CoA from here I still see the same ANC status, and match the same Quarantine Auth Rule:

coa.PNG

This is in a lab environment, and there is no firewall between my ISE and WLC - also CoA works it's just matching the same AuthZ policy because the ANC/EPS status doesn't change.

Let me know if there is any other configuration you would like to see.

 

-Thanks

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Daniel Lucas

‎02-11-2019 02:22 PM

What about debug logs from device?
debug aaa coa
debug radius
debug aaa pod
Can you share your AAA configs from device?
0 Helpful

Go to solution
Daniel Lucas
Level 1
Level 1
In response to Mike.Cifelli

‎02-12-2019 06:25 AM

It is a Wireless LAN Controller - screenshots belowwlc-radius-settings.PNG

 

Debug output after selected 'EPS Unquarantine' in ISE - no output on the WLC

wlc-debug-aaa_EPS-Unquarantine.PNG

 

Debug output after selecting 'Session Reauthentication' from 'CoA Actions' in ISE
wlc-debug-aaa_Forced-CoA.PNG

 

CoA is clearing working between ISE and my NAD - it's just ISE isn't doing anything after selecting EPS Unquarantine.

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎02-12-2019 07:53 AM

Hey Daniel,

 

You would need to select EPS Unquarantine, enter the MAC address you want to unquarantine and then submit.

 

FMC uses Session:EPStatus:Quarantine in the ISE auth global exception policy.  This is Adaptive Network Control (ANC) 1.0. FMC subscribes to the pxGrid EndpointProtectionService Topic using pxGrid 1.0.  

FMC does not use true ANC 2.0 policies that include ISE ANC policies: quarantine, port-shut, port-bounce

 

You can also create an unquaratine Policy from FMC to unquarantine directly from FMC (this was from Cisco Firesight, only use the policy section):  https://community.cisco.com/t5/security-documents/how-to-rapid-threat-containment-rtc-with-cisco-firesight-and-ise/ta-p/3627044

 

You can also unquarantine from the API from your browser:  https://{ipaddressofmnt}/API/eps/UnQuarantineByIP/{ipaddress}

 

If you have any questions, please email me directly.

 

Thanks,

John

jeppich@cisco.com

 

 

 

Go to solution
Daniel Lucas
Level 1
Level 1
In response to jeppich

‎02-12-2019 12:04 PM

The API call worked - although for anyone else having this issue a username is required in the GET request, and also ERS needs enabled in ISE (Administrator->Settings->ERS)
http://<ise-ip>/admin/API/eps/UnQuarantineByIP/<endpoint-ip>

Thanks for the help
0 Helpful

Go to solution
vaguirre17
Level 1
Level 1

‎06-19-2019 03:30 PM

Hello guys.

But is there any way to see which devices are in quarantine mode? I could unquarantine using the EPS unquarantine buttom but how I could know which other devices are currently quarantined? I need track it.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents