11-22-2022 06:45 AM
Hello dear community,
once again I have a small cosmetic problem and can't find a solution. But maybe it is simply not feasible.
In our environment, several administrators are responsible for one site each. In our old NAC solution, we had an email alert that notified colleagues via email when a new, unknown device was connected. The colleagues then received information such as switch IP + port and the MAC address of the device in the email. Either they connected the device themselves, in which case they added it to an identity group, or they checked what it was and then unlocked it.
In the ISE, unfortunately, this alert no longer exists. Here you can only periodically send an email that only reports the number of devices in specified Authorization Profiles. This would be fine, the colleagues have to filter the devices, but if the device is not unlocked within an hour, ISE sends another email. Over the weekend you have up to 60 emails. If the information is sent every 60 minutes.
How did you solve this? Unfortunately, the colleagues can not look 24x7 on the console. Actually, these messages should also run into the ticket system, but that would then generate a lot of tickets. Unfortunately, I can't find a switch that only reports newly added systems.
Is there a more elegant way to solve this?
Many greetings,
Stefan
12-19-2022 01:09 PM
Hello Stefan,
It's been a while since you wrote this question. There is no immediately obvious or easy solution to your question - and perhaps the solution could be solved in a non-obvious way.
I am curious about what feature in ISE you are using to get those emails - is it Alarms/Reports?
When a new endpoint is connected that needs "fixing up", does your Policy Set Reject them, or does it Accept them with an ACL? I was wondering if you could spot the problem Endpoints via the Authentication Summary Report.
I think the only other approach that comes to mind is to use an external script using REST API call to ISE to periodically check the Endpoint database for endpoints that are not in any of the expected Endpoint Identity Groups (assuming of course that a "good/healthy" endpoint is always statically assigned to an Identity Group)
12-20-2022 05:24 PM
This sounds like something you should suggest the PM's evaluate, you can submit the feature request here, https://cs.co/ise-wish.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide