Cisco ISE - ANC leveraging integrated AMP - Isolation

Script Kiddie · ‎04-02-2024

Dear community,

I have integrated Cisco ISE and AMP with intention to leverage threat centric data in authorization rules.

I can see threat centric data and compromised endpoint within the ISE after executing false-exploit, like status "Painful", etc. but I don't see any attributes to leverage this in authorization policy.
I'm able to trigger manual ANC based on this event, which is okay, but I need automated response and I thought this will work.

My idea is (for example): Endpoint is being exploited and has Cisco AMP installed, Cisco AMP sends this threat centric data to ISE, ISE has authorization policy says "if threat level = painful & endpoint in Admin Lan" Endpoint will be assigned to quarantine VLAN or ANC will be triggered.

My problem is that I don't see attributes above as threat level = painful or anything related to this AMP threat centric data that I can utilize in authorization policies to Isolate automatically.

Arne Bier · ‎05-13-2024

This might be a question also to the Cisco TAC. I don't have AMP integration and I think one needs that integration to populate the ISE RADIUS Dictionary. If ISE Policy Set Authorization conditions are based on what is contained in the Dictionary. Have a look around in

Policy -> Policy Elements > Dictionaries > System and explore any folders regarding ANC/AMP etc.

Greg Gibbs · ‎05-13-2024

The following list of Dictionaries/Attributes was shared as a reference for the ISE Webinar on the ISE Threat Centric NAC Service. These are the only attributes that can be used within ISE policies. If you have not done so already, I would suggest reviewing that Webinar for more information on the capabilities.