Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3354
Views
8
Helpful
7
Replies

ISE new device detection

Go to solution
Chevy
Level 1
Level 1

‎03-08-2018 01:51 PM

We are looking to identify any new devices that get plugged into the network, and receive notification of the event. Is this in the capabilities of ISE?

I would think that possibly creating a new Profile, and finding an attribute that is common on all of our company devices, but not on random devices would work, but can we get a email alert from this ???

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Chevy

‎03-09-2018 09:51 AM

Info on various ecosystem partner located here: Technical Alliance Partners - Cisco

Most security info/event management systems and loggers have ability to trigger alarm/email on matching specific log criteria.  We don't provide details on configuration for 3rd-party products, but sure QRadar is capable as is Kiwi and others.  pxGrid is just an option for sending key config/session data from PAN or MnT.  Syslog is more generic in data sent by PSNs but you can select which data sent in the ISE logging configuration to external loggers.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-08-2018 02:46 PM

I sit next to our product manager on this and we were discussing this same network management functionality

No it’s not possible natively in ise

Please reach out to kevin Gagnon thru sales channels

You might be able to script something up using api if needed

0 Helpful

Go to solution
Chevy
Level 1
Level 1
In response to Jason Kunst

‎03-08-2018 03:07 PM

Wow seems like with all of the integration between ISE and Stealthwatch, someone seriously dropped the ball. I mean that's what us customers really want to know, who's plugging in in-authorized devise into our networks....who's knocking at the doors on the WiFi LAN.

I will reach out to Kevin, if I can find, him, may start with TAC to get this as a official feature.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Chevy

‎03-08-2018 03:30 PM

With stealthwatch you might be able to do that, you would need to ask them

ISE shares the context with stealthwatch to enhance their dashboard with the who what when where his and rapid threat containment

0 Helpful

Go to solution
kegagnon
Cisco Employee
Cisco Employee
In response to Chevy

‎03-08-2018 06:11 PM

Chavell, People have asked us before for alerts on new devices coming onto the network. We certainly want to accommodate but it honestly just has not bubbled to the top of the list as yet. However, we are concerned that it might be a bit hard on administrators because too many alerts makes it noise. In the meantime, what we see people doing is authorizing with a default policy. Jason can speak to that a bit better than I.

Go to solution
Craig Hyps
Level 10
Level 10
In response to kegagnon

‎03-09-2018 06:51 AM

Yes, through integration with other systems, this is possible.  ISE learns about every new endpoint that connects to the network--Yes--but often that is not interesting from an alarm or email perspective due to the vast number of events which then because administrative noise (to Kevin G's point).

It is possible to track unique endpoints, say based on unique attributes, based on matching policy, and then generate a consolidated report for all endpoints hitting that policy.

To truly receive alarm or email, then possible to send syslog of auth events (or pxGrid) to external logger or SIEM and create rules based on the results.  For example, every time endpoint connects based on matching profile classification X, or custom attrubute Y, send alert via email.  Just make sure you have a large Inbox!

Go to solution
Chevy
Level 1
Level 1
In response to Craig Hyps

‎03-09-2018 09:38 AM

Thanks for the feedback, and we are exploring the avenues like QRadar, and would also like more information regarding pxGrid or SIEM, so that we can determine the best solution. We already have QRadar in house, and may be licensed for pxGrid or SIEM, I dont know much about them, but would like to explore so that I am sure we are providing the best solution that gives us the flexibility to merge with emerging technologies.

regarding noise, yes we are looking at attributes, so that we only get notifications concerning devices that are of concern.

It will take some testing to find the sweet spot, for this feature.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Chevy

‎03-09-2018 09:51 AM

Info on various ecosystem partner located here: Technical Alliance Partners - Cisco

Most security info/event management systems and loggers have ability to trigger alarm/email on matching specific log criteria.  We don't provide details on configuration for 3rd-party products, but sure QRadar is capable as is Kiwi and others.  pxGrid is just an option for sending key config/session data from PAN or MnT.  Syslog is more generic in data sent by PSNs but you can select which data sent in the ISE logging configuration to external loggers.

0 Helpful
Customers Also Viewed These Support Documents