cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20898
Views
0
Helpful
9
Replies

How to block a endpoint PC in Cisco ISE system?

musikman1988
Level 1
Level 1

Hi All,

Our company deployed Cisco ISE system to control PC clients access LAN.

I have a question:

I'd know a MAC address and I want to deny this MAC address to access our company LAN?

What step should I do it?

Thanks a lot !!

 

BR Frank

1 Accepted Solution

Accepted Solutions

@haseeb.shaukat, please see ISE ERS API Examples :

 

You may always re-use the default Blacklist / Blocked List endpoint group in ISE.

You may need to update/change/create an Authorization Rule in ISE depending on your policy sets and authorization rules.

 

View solution in original post

9 Replies 9

Saurav Lodh
Level 7
Level 7

From ISE identity management, open Endpoints. IF endpoint is there ( search Endpoint using MAC ), select the endpoint and edit. Opt static group assignment and assign the endpoint as Blacklisted. Now from Authorization policy, make one policy like , if condition < blacklisted >  then permissions < deny >
 

Hi Salodh,

As before, I just find MAC address and assign it as "BLACKLIST" group, but I didn't define "BLACKLIST" policy, I think this is the reason for my failure.

Thanks a lot.

/Frank

 

 

 

I want to achieve this use case via REST APIs. Is there any suggestion?

@haseeb.shaukat, please see ISE ERS API Examples :

 

You may always re-use the default Blacklist / Blocked List endpoint group in ISE.

You may need to update/change/create an Authorization Rule in ISE depending on your policy sets and authorization rules.

 

@thomas Thanks for the suggestions. I have studied APIs you referenced, but have some confusions:
1) Does Endpoint Group with name "BLACKLIST" exists by default in ISE? If no, creating a endpoint group with name "BLACKLIST" is suffice? I mean there is no option available to set as an action for a endpoint group e.g action=deny/allow traffic, only naming a group "BLACKLIST" is enough?
2) Can we remove an endpoint from blacklist endpoint group? If yes, which APIs i can use?

3) Can i search endpoints by ip-address via APIs and get their mac-addresses ?
4)  What kind of authorization rule is required to make it work?

> Does Endpoint Group with name "BLACKLIST" exists by default in ISE?

Yes but it was changes in ISE 3.0 I believe to BLOCK LIST. You may create your own group to do the same thing.

 

> Can we remove an endpoint from blacklist endpoint group? If yes, which APIs i can use?

Yes. Delete the endpoint or change it's endpoint group. Which API resource you use depends on your approach.

 

> Can i search endpoints by ip-address via APIs and get their mac-addresses

Please see the Monitoring REST APIs for endpoint and IP based queries. You cannot do such a query for all known ISE endpoints today.

Session Counters
https://ise/admin/API/mnt/Session/ActiveCount
https://ise/admin/API/mnt/Session/PostureCount
https://ise/admin/API/mnt/Session/ProfilerCount
Session Lists
https://ise/admin/API/mnt/Session/ActiveList
https://ise/admin/API/mnt/Session/AuthList/{options}
Session Attributes
https://ise/admin/API/mnt/Session/MACAddress/{mac}
https://ise/admin/API/mnt/Session/UserName/{username}
https://ise/admin/API/mnt/Session/IPAddress/{nas-ip}
https://ise/admin/API/mnt/Session/Active/SessionID/{audit-session-id}/0
Others
https://ise/admin/API/mnt/Version
https://ise/admin/API/mnt/FailureReasons
https://ise/admin/API/mnt/AuthStatus/MACAddress/{mac}/{seconds}/{records}>/All
https://ise/admin/API/mnt/AcctStatusTT/MACAddress/{mac}/{seconds}
https://ise/admin/API/mnt/CoA/Reauth/{psn}/{mac}/{reauthtype}/{nas-ip}/{dst-ip}
https://ise/admin/API/mnt/CoA/Disconnect/{psn}/{mac}/<disconnecttype>/{nas-ip}/{dst-ip}

 

> What kind of authorization rule is required to make it work?

Have you looked at the ISE Default Policy Set and the Wireless Black List authorization rule in ISE? Like that but you do not need to limit it to Wireless Access.  See Static Endpoint Group(s) in ISE Authentication and Authorization Policy Reference .

Status Rule Name Conditions Profiles Security Groups Hits Actions
Wireless Block List Default
AND Wireless_Access
IdentityGroup-Name EQUALS Endpoint Identity Groups:Blocklist
Block_Wireless_Access Select from list 0

 

This is a very similar issue we have... an android device lost with user AD credentials in it attempting every minute to authenticate and causing the AD user account locked out. I added the mac address to a deny rule at the top in the authentication policy... but still issue occurred.... and was able to confirm this in the Operations -> Live Logs when filtering the mac address.... so i opened a TAC case and this is what they told me: "
"ISE is not able to block by MAC address without affecting the user because the device is using user authentication as its method, so when it tries to log in and fails (because of the policy to deny that MAC address) then blocks the user too, affecting the customer's real user. From ISE there is no way to block a MAC address before starting the process of authenticating, thats why the customer needs to get the MAC address to be blocked from the network access device (WLC).
Since the issue is that the endpoint has set as authentication method user authentication, and we dont have access to that endpoint, we wont be able to block the MAC address without affecting the user."

Is this legit??

ZacGomez
Level 1
Level 1

Profile the device as blacklist

1.2 Administration->Identity management->Endpoint-(searchmac)->In network search Blacklisted

2.X Administration > Identity Management > Groups > Endpoint Identity Groups->Blacklisted-Edit->add

 

 

 

Link: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_010101.html

Regards

 

 

 

 

jakub.kacer
Level 1
Level 1

Hi,

check out the following tool which uses ISE API for MAC address management:

https://www.xtendise.com/

Jakub