This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi,
The cisco ISE 2.7 is integrated to amp for endpoints. I would like to block endpoints that are compromised. I can see compromised endpoints in ISE with severity level as painful. Is there anyway to block these endpoints in ISE?
Thanks,
Solved! Go to Solution.
Yes. The feature is known as Threat-Centric NAC or TC-NAC. It requires Apex licensing but is otherwise relatively easy to setup. Please see the following section of the admin guide:
There are some other resources in the following as well:
https://www.youtube.com/watch?v=VhfAM7KXOl0
If you combine Rapid Threat Containment (RTC) with Adaptive Network Control (ANC) it can automatically quarantine the endpoint in ISE upon receipt of an AMP event.
Here's an example:
Is there anyway to do automatic quarantine rather than manual in cisco ISE?
Thanks,
Yes. The feature is known as Threat-Centric NAC or TC-NAC. It requires Apex licensing but is otherwise relatively easy to setup. Please see the following section of the admin guide:
There are some other resources in the following as well:
https://www.youtube.com/watch?v=VhfAM7KXOl0
Thanks for your resources. It does not quarantine any compromised endpoint automatically. It needs to be done manually. Is there anyway to do automatic quarantine with ISE policy?
If you combine Rapid Threat Containment (RTC) with Adaptive Network Control (ANC) it can automatically quarantine the endpoint in ISE upon receipt of an AMP event.
Here's an example: