Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
2
Replies

ISE 3.1 Alarm Settings for dedicated Authorization Profiles

StefanSeubert44470
Level 1
Level 1

‎11-22-2022 06:45 AM

Hello dear community,
once again I have a small cosmetic problem and can't find a solution. But maybe it is simply not feasible.
In our environment, several administrators are responsible for one site each. In our old NAC solution, we had an email alert that notified colleagues via email when a new, unknown device was connected. The colleagues then received information such as switch IP + port and the MAC address of the device in the email. Either they connected the device themselves, in which case they added it to an identity group, or they checked what it was and then unlocked it.
In the ISE, unfortunately, this alert no longer exists. Here you can only periodically send an email that only reports the number of devices in specified Authorization Profiles. This would be fine, the colleagues have to filter the devices, but if the device is not unlocked within an hour, ISE sends another email. Over the weekend you have up to 60 emails. If the information is sent every 60 minutes.
How did you solve this? Unfortunately, the colleagues can not look 24x7 on the console. Actually, these messages should also run into the ticket system, but that would then generate a lot of tickets. Unfortunately, I can't find a switch that only reports newly added systems.
Is there a more elegant way to solve this?
Many greetings,
Stefan

 

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎12-19-2022 01:09 PM

Hello Stefan,

It's been a while since you wrote this question. There is no immediately obvious or easy solution to your question - and perhaps the solution could be solved in a non-obvious way. 

I am curious about what feature in ISE you are using to get those emails - is it Alarms/Reports? 

When a new endpoint is connected that needs "fixing up", does your Policy Set Reject them, or does it Accept them with an ACL?  I was wondering if you could spot the problem Endpoints via the Authentication Summary Report.

I think the only other approach that comes to mind is to use an external script using REST API call to ISE to periodically check the Endpoint database for endpoints that are not in any of the expected Endpoint Identity Groups (assuming of course that a "good/healthy" endpoint is always statically assigned to an Identity Group)

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎12-20-2022 05:24 PM

This sounds like something you should suggest the PM's evaluate, you can submit the feature request here, https://cs.co/ise-wish

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents