02-01-2019 11:24 AM
How do you unquarantine an endpoint once FMC has instructed ISE to quarantine it? Manually entering the MAC address under 'Operations->Adaptive Network Control -> Endpoints -> EPS Unquarantine' doesn't do anything...it's also confusing because the endpoint list under Adaptive Network Control is empty:
Solved! Go to Solution.
02-12-2019 07:53 AM
Hey Daniel,
You would need to select EPS Unquarantine, enter the MAC address you want to unquarantine and then submit.
FMC uses Session:EPStatus:Quarantine in the ISE auth global exception policy. This is Adaptive Network Control (ANC) 1.0. FMC subscribes to the pxGrid EndpointProtectionService Topic using pxGrid 1.0.
FMC does not use true ANC 2.0 policies that include ISE ANC policies: quarantine, port-shut, port-bounce
You can also create an unquaratine Policy from FMC to unquarantine directly from FMC (this was from Cisco Firesight, only use the policy section): https://community.cisco.com/t5/security-documents/how-to-rapid-threat-containment-rtc-with-cisco-firesight-and-ise/ta-p/3627044
You can also unquarantine from the API from your browser: https://{ipaddressofmnt}/API/eps/UnQuarantineByIP/{ipaddress}
If you have any questions, please email me directly.
Thanks,
John
jeppich@cisco.com
02-01-2019 01:03 PM
02-04-2019 07:56 AM
02-04-2019 08:14 AM
Go to Context Visibility and revoke ANC policy:
02-04-2019 08:52 AM
02-04-2019 09:02 AM
Which option is greyed out? The ANC or Revoke function? If you have plus license (Which I assume you do since using RTC) it should be available to you.
02-06-2019 01:17 PM - edited 02-06-2019 01:19 PM
Sorry mis-spoke - the option isn't greyed out, but I get an error stating that "No policy applied to specified mac".
02-11-2019 11:31 AM
02-11-2019 12:51 PM
02-11-2019 01:36 PM
No warning or error given - I get a message saying
"Server Response
<MAC> has been saved successfully"
But when I check the log no CoA was issued - and the live session still shows my endpoint having Quarantine ANC status:
If I force a CoA from here I still see the same ANC status, and match the same Quarantine Auth Rule:
This is in a lab environment, and there is no firewall between my ISE and WLC - also CoA works it's just matching the same AuthZ policy because the ANC/EPS status doesn't change.
Let me know if there is any other configuration you would like to see.
-Thanks
02-11-2019 02:22 PM
02-12-2019 06:25 AM
It is a Wireless LAN Controller - screenshots below
Debug output after selected 'EPS Unquarantine' in ISE - no output on the WLC
Debug output after selecting 'Session Reauthentication' from 'CoA Actions' in ISE
CoA is clearing working between ISE and my NAD - it's just ISE isn't doing anything after selecting EPS Unquarantine.
02-12-2019 07:53 AM
Hey Daniel,
You would need to select EPS Unquarantine, enter the MAC address you want to unquarantine and then submit.
FMC uses Session:EPStatus:Quarantine in the ISE auth global exception policy. This is Adaptive Network Control (ANC) 1.0. FMC subscribes to the pxGrid EndpointProtectionService Topic using pxGrid 1.0.
FMC does not use true ANC 2.0 policies that include ISE ANC policies: quarantine, port-shut, port-bounce
You can also create an unquaratine Policy from FMC to unquarantine directly from FMC (this was from Cisco Firesight, only use the policy section): https://community.cisco.com/t5/security-documents/how-to-rapid-threat-containment-rtc-with-cisco-firesight-and-ise/ta-p/3627044
You can also unquarantine from the API from your browser: https://{ipaddressofmnt}/API/eps/UnQuarantineByIP/{ipaddress}
If you have any questions, please email me directly.
Thanks,
John
jeppich@cisco.com
02-12-2019 12:04 PM
06-19-2019 03:30 PM
Hello guys.
But is there any way to see which devices are in quarantine mode? I could unquarantine using the EPS unquarantine buttom but how I could know which other devices are currently quarantined? I need track it.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide