cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

212
Views
0
Helpful
1
Replies
Beginner

ISE EPS

Hi

 

I'm currently trying to setup RTC between FMC & ISE which looks like it is failing on the ISE side.

To simplify things I'm trying to manually implement device quarantine using 'Session:EPSStatus equals Quarantine' as a condition under global exceptions which is linked to an authorization profile that will place the device into a VLAN - this doesn't work. However, if I use 'Session:ANC equals QUARANTINE' (QUARANTINE being a policy with an ANC action of QUARANTINE) it works as expected.

 

When I then test the RTC setup with either the EPS or ANC options (or even both with an OR statement) it doesn't work. On the FMC I can see the triggered event listed under 'Analysis > Correlation Events' and I can see the pxgrid connection under 'System > Syslog'.

On ISE under 'Administration > pxGrid Services > All Clients' I can see the 'iseagent' client online with 'ANC,EPS' listed under 'Client Group(s)'.

 

A few questions:

 

- I'm running ISE version 2.3 - is the 'EPSStatus' condition supported with 2.3?

- My understanding is that FMC - ISE RTC only supports EPS and not ANC - is this correct?

- If both the answers to the above are yes - does anyone have an idea why the manual quarantine option using 'EPSStatus' may not be  working? 

 

Kind Regards

T

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE EPS

Hey Terry,

 

What version of Cisco Firepower are you using?

 

Do you have your pxGrid remediaton instance configured on Firepower, have you setup your quarantine by source ip address  remediation policies and assigned them to your Firepower quarantine policies and configured your Firepower quarantine rules?

 

Firepower will trigger an automated mitigation action via pxGrid, you will want to have your Session:EPSStatus:Quarantine ISE authorization policy configured.

 

Both ISE authz Session:EPSStatus:Quarantine rules and ISE ANC policies (port-shut, port-bounce, quarantine) are Adaptive Network Control (ANC) mitigation actions.    Session:EPSStatus:Quarantine is considered ANC 1.0, Firepower subscribes the pxGrid EndpointProtection Service Topic to perform this mitigation action.  ISE ANC policies are considered ANC 2.0, pxGrid clients like Stealthwatch 7.0 subscribe to  the pxGrid AdaptiveNetworkControl topic to perform these mitigation actions..  Firepower, even though, they also subscribe to the pxGrid AdaptiveNetworkControl, DO NOT use ISE ANC policies, they still use Session:EPSSTATUS:Quarantine policies.

 

Firepower 6.0 does not support ANC mitigations via pxGrid.

 

If you have additional questions, please email me directly.

 

Thanks,

John

jeppich@cisco.com

1 REPLY 1
Highlighted
Cisco Employee

Re: ISE EPS

Hey Terry,

 

What version of Cisco Firepower are you using?

 

Do you have your pxGrid remediaton instance configured on Firepower, have you setup your quarantine by source ip address  remediation policies and assigned them to your Firepower quarantine policies and configured your Firepower quarantine rules?

 

Firepower will trigger an automated mitigation action via pxGrid, you will want to have your Session:EPSStatus:Quarantine ISE authorization policy configured.

 

Both ISE authz Session:EPSStatus:Quarantine rules and ISE ANC policies (port-shut, port-bounce, quarantine) are Adaptive Network Control (ANC) mitigation actions.    Session:EPSStatus:Quarantine is considered ANC 1.0, Firepower subscribes the pxGrid EndpointProtection Service Topic to perform this mitigation action.  ISE ANC policies are considered ANC 2.0, pxGrid clients like Stealthwatch 7.0 subscribe to  the pxGrid AdaptiveNetworkControl topic to perform these mitigation actions..  Firepower, even though, they also subscribe to the pxGrid AdaptiveNetworkControl, DO NOT use ISE ANC policies, they still use Session:EPSSTATUS:Quarantine policies.

 

Firepower 6.0 does not support ANC mitigations via pxGrid.

 

If you have additional questions, please email me directly.

 

Thanks,

John

jeppich@cisco.com