Solved: ISE and Steathwatch integration

mparthan · ‎11-29-2017

ISE version 2.2

Stealthwatch version 6.9

Endpoint is quarantined and hits the right policy on the ISE. Endpoint status on ISE now shows quarantine.

Endpoint is then unquarantined using Stealthwatch.

On the ISE, EP still remains with status Quarantine. We can see in the reports that ISE receives the unquarantine action from SW, but no COA happens.

On the ISE you have to manually click the Unquarantine button for the EP to be unquarantined or delete the EP and have the endpoint authenticate again.

Is this expected? I read from some discussions that ISE will not do the unquarantine automatically, does that still hold true?

Any information is appreciated.

Jason Kunst · ‎11-30-2017

This seems like a bug to me. From what i understand you can call the quarantine and unquaratine action from stealth watch without issues, added SME jeppich to keep me honest

View solution in original post

Jason Kunst · ‎11-30-2017

This seems like a bug to me. From what i understand you can call the quarantine and unquaratine action from stealth watch without issues, added SME jeppich to keep me honest

jeppich · ‎11-30-2017

Hey Malavika,

As Jason noted in his email, the endpoint should have been unquarantined in ISE as well.

Are you sending any failure messages in ISE?

Let me know your availability for next week and i will setup a webex.

Thanks,

John

jeppich@cisco.com