03-08-2018 01:51 PM
We are looking to identify any new devices that get plugged into the network, and receive notification of the event. Is this in the capabilities of ISE?
I would think that possibly creating a new Profile, and finding an attribute that is common on all of our company devices, but not on random devices would work, but can we get a email alert from this ???
Solved! Go to Solution.
03-09-2018 09:51 AM
Info on various ecosystem partner located here: Technical Alliance Partners - Cisco
Most security info/event management systems and loggers have ability to trigger alarm/email on matching specific log criteria. We don't provide details on configuration for 3rd-party products, but sure QRadar is capable as is Kiwi and others. pxGrid is just an option for sending key config/session data from PAN or MnT. Syslog is more generic in data sent by PSNs but you can select which data sent in the ISE logging configuration to external loggers.
03-08-2018 02:46 PM
I sit next to our product manager on this and we were discussing this same network management functionality
No it’s not possible natively in ise
Please reach out to kevin Gagnon thru sales channels
You might be able to script something up using api if needed
03-08-2018 03:07 PM
Wow seems like with all of the integration between ISE and Stealthwatch, someone seriously dropped the ball. I mean that's what us customers really want to know, who's plugging in in-authorized devise into our networks....who's knocking at the doors on the WiFi LAN.
I will reach out to Kevin, if I can find, him, may start with TAC to get this as a official feature.
03-08-2018 03:30 PM
With stealthwatch you might be able to do that, you would need to ask them
ISE shares the context with stealthwatch to enhance their dashboard with the who what when where his and rapid threat containment
03-08-2018 06:11 PM
Chavell, People have asked us before for alerts on new devices coming onto the network. We certainly want to accommodate but it honestly just has not bubbled to the top of the list as yet. However, we are concerned that it might be a bit hard on administrators because too many alerts makes it noise. In the meantime, what we see people doing is authorizing with a default policy. Jason can speak to that a bit better than I.
03-09-2018 06:51 AM
Yes, through integration with other systems, this is possible. ISE learns about every new endpoint that connects to the network--Yes--but often that is not interesting from an alarm or email perspective due to the vast number of events which then because administrative noise (to Kevin G's point).
It is possible to track unique endpoints, say based on unique attributes, based on matching policy, and then generate a consolidated report for all endpoints hitting that policy.
To truly receive alarm or email, then possible to send syslog of auth events (or pxGrid) to external logger or SIEM and create rules based on the results. For example, every time endpoint connects based on matching profile classification X, or custom attrubute Y, send alert via email. Just make sure you have a large Inbox!
03-09-2018 09:38 AM
Thanks for the feedback, and we are exploring the avenues like QRadar, and would also like more information regarding pxGrid or SIEM, so that we can determine the best solution. We already have QRadar in house, and may be licensed for pxGrid or SIEM, I dont know much about them, but would like to explore so that I am sure we are providing the best solution that gives us the flexibility to merge with emerging technologies.
regarding noise, yes we are looking at attributes, so that we only get notifications concerning devices that are of concern.
It will take some testing to find the sweet spot, for this feature.
03-09-2018 09:51 AM
Info on various ecosystem partner located here: Technical Alliance Partners - Cisco
Most security info/event management systems and loggers have ability to trigger alarm/email on matching specific log criteria. We don't provide details on configuration for 3rd-party products, but sure QRadar is capable as is Kiwi and others. pxGrid is just an option for sending key config/session data from PAN or MnT. Syslog is more generic in data sent by PSNs but you can select which data sent in the ISE logging configuration to external loggers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide