Re: Advice on Various Ways to Block Endpoints

emf · ‎02-20-2024

Edit: Thanks for the guiding questions; I realized that I should have provided more context.

I am working at a cybersecurity company, and we want to integrate our product with Cisco ISE using the APIs so we can quarantine endpoints that we determine to be suspicious. Our company as of now doesn’t use Cisco ISE, but many of our customers do.

====================================================================

Original Post

New to ISE here and I currently have 3.2 (no patches applied yet). I was reading through some of these posts (https://community.cisco.com/t5/network-access-control/how-to-block-a-endpoint-pc-in-cisco-ise-system/td-p/2449185 and https://community.cisco.com/t5/network-access-control/ise-1-2-disable-endpoints-with-certain-mac-address/td-p/2520093), and still haven’t exactly figured out the best way to block an endpoint. Have things changed in the 3.2 release?

So far, I have explored several possibilities.

Directly updating the policy of the endpoint through editing an individual endpoint. (? ISE License)
Adding the endpoint to a static identity group that is blocked from accessing the network. (? ISE License)
2.1: Directly using the Blocked List endpoint group
Using ANC to quarantine/shutdown a device. (Advantage License)
Doing something with the blocked list portal. (? License)

Questions

Re option 1: directly updating the policy of an endpoint
- How does one create a policy that would block it from the network if it is possible? (Why doesn’t the authorization profiles from Work Centers > BYOD > Policy Elements > Results > Authorization Profiles show up in the policy options?)

Re option 2: blocking via identity groups
- How do you create a policy for that group?
- I went on Policy > Policy Elements > Results > Authorization > Authorization Profiles
  And I put access type to ACCESS_REJECT, and used advanced attribute settings to filter out the identity group. Hence, the attribute details became
  Access Type = ACCESS_REJECT
  IdentityGroup = my-blocked-list
  Is this correct? Does that block things properly?
- How do I filter by identity group when I create a policy set? I don’t see that as an option at all in Conditions Studio even after I added it to the Library conditions.
- In what cases is it advisable to create a custom endpoint group rather than directly use the Blocked List endpoint group (besides that I want to create some granularity between the various blocklists)?

Re option 3: ANC to quarantine/shutdown the device
- What would the main difference be between using ANC to quarantine/shutdown a device vs. putting the device on a blocked list?

Re option 4: Doing something with the blocked list portal.
- The Blocked List Portal says, “To authorize a portal for use, you must create an Authorization profile for it and then reference that profile in a rule in the Authorization policy.” Is there a step-by-step guide on how to do that if this is a good solution / relevant to blocking an endpoint?

What licenses are required for each of these possibilities? (Given that Group-Based Policy and Profiling require an advantage license, does creating custom identity groups require an advantage license)

Which of these options would be the easiest to do using the ERS API? Which one would be most difficult?

These are a lot of questions, and thanks so much for offering support!

Ken Stieers · ‎02-21-2024

Moved your post to Network Access Control, as its an ISE question, not a Cisco Secure Endpoint question.

ahollifield · ‎02-21-2024

Please apply the latest 3.2 patch. What exactly do you mean by "block"? Deny network access completely? Apply a dACL? Change the VLAN? Something else? During first authentication or after a successful authentication?

emf · ‎02-22-2024

Thanks for your response. I just applied 3.2 patch 5, and I am very much a newbie here.

What are the pros and cons of each of those methods? Don’t they roughly do the same thing? For instance, can’t we deny network access by applying a dACL with a deny policy or putting the device in a quarantine VLAN? What licenses do they require? Which ones are easiest with the Cisco API?

ahollifield · ‎02-22-2024

All of these require essentials. Why would you use the API? Why not use RADIUS policy? I would really suggest working with your Cisco Account SE or your preferred Cisco Partner to assist you with the ISE setup.

emf · ‎02-22-2024

I don't have a Cisco Account SE or a Cisco Partner. We want to use the API so we can block malicious devices immediately based on our own algorithms, we haven't been using ISE, and are currently using evaluation mode. What is the best way of getting my questions answered? Thanks!

ahollifield · ‎02-22-2024

Then how did you go about buying ISE?

Cisco Devnet has many fantastic examples and documentation of the ISE API: https://developer.cisco.com/learning/modules/ise-programmability/01-Intro-Cisco-ISE/introduction-to-cisco-ise/

emf · ‎03-04-2024

Thanks for the guiding questions; I realized that I should have provided more context.

I am working at a cybersecurity company, and we want to integrate our product with Cisco ISE using the APIs so we can quarantine endpoints that we determine to be suspicious. Our company as of now doesn’t use Cisco ISE, but many of our customers do.

Thanks for sharing the link to the API. I still have questions about the higher-level pros/cons as well as the differences between the various ways of blocking an endpoint (ex: complete block, dACL, VLAN, authentication, ANC quarantine, etc.) In addition, I’m not sure exactly how to block an endpoint on the GUI through some of the ways (ex: blocking via identity groups).

Ken Stieers · ‎03-04-2024

The right thing for us to do is get you in touch with the proper team at Cisco for inter-product connectivity.

I’ll send you a DM, and get you in touch with the right person.