How to block access to a LAN based on Cisco ISE 2.7 - dACL mechanism

DariuszD · ‎05-10-2023

Hello, everyone,

I am using Cisco ISE 2.7 in my infrastructure to control access to the network, and I have policies set up for MAB and 802.1x authentication. I want to enable the ability to block access to the network for PCs deemed suspicious. The easiest way for me to do this would be to add these MACs to a "Blocked" group. I have created a MAB and 802.1x policy for the Blocked Group and added the dACL "deny ip any any" to the profile for this group. Moving the mac address of a PC to the "Blocked" group in the ISE does not change the dACL on the Switch port to which the PC in the "Blocked" group is connected. The change of the dACL for the profile "Blocked" (dACL: deny ip any any) for a port only takes place after either restarting the switch port or disconnecting and reconnecting the network cable of the PC.

Is there a mechanism in ISE that allows me to automatically block the PC? I mean that if I move the mac address of a PC from one group to the "Blocked" group, this PC is disconnected from the LAN.

Rob Ingram · ‎05-10-2023

@DariuszD send a Change of Authorisation (CoA) from ISE to the endpoint, this will force the endpoint to be re-authorised and the DACL applied (assuming it matches the new Authorisation rule). You can do this from ISE Live Sessions, select endpoint and chose action of "session reauthentication".

DariuszD · ‎05-10-2023

Thank you very much Rob for your reply. Could you give me an example or source where I could find information on how to send CoA from ISE to Endpoint? Should I put this in the policy, profiles?

Rob Ingram · ‎05-10-2023

@DariuszD sorry I edited the initial response whilst you sent your reply. The screenshot would hopefully illustrate how to reauth the session.

DariuszD · ‎05-10-2023

Thank you very much for your answer, and is there any other way to force a CoA change on the switches without the need for an additional "session reauthentication" action. Is it at all possible that the MAC self-addressing to the "Blocked" group automatically blocks access to the LAN? I mean to automate this process as much as possible without the need for additional actions. I am considering the "Reauthentication" option in the Authorisation profile with a timer set to e.g. 5 seconds. however, I do not know if this is a good way of reasoning

Rob Ingram · ‎05-10-2023

@DariuszD it would be a bad idea to reauthenticate a session every 5 seconds, this would increase the load on ISE significantly and not recommended.

You could perhaps rely on the profiler service to issue the CoA automatically if an existing endpoint already authenticated to the network is now statically assigned to a different profile.

Depending on your ISE license, you may wish to look at Adaptive Network Control (ANC) which is a quarantine feature, example.

DariuszD · ‎05-10-2023

Thank you for your reply. As I understand it, pxGRID needs to be activated to activate ANC? I have an ISE with a Base License so as I understand it is not possible to run ANC unfortunately.

Rob Ingram · ‎05-10-2023

@DariuszD no you don't need pxgrid for ANC integration to a switch (only FMC/SMC), but you'd need Premier license in addition to base license.