Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
2
Replies

ISE with Splunk pxGrid Unquarantine Framed IP

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎08-11-2016 09:49 AM

In the "Splunk & pxGrid Adaptive Network Control (ANC) Mitigation Workflow Actions" document, there is only an unquarantine workflow action for an IP address.  In my testing, I am using 802.1x (Machine Auth) and was able to Quarantine by FramedIP.  But I am not able to unquarantine because the "unQuarantine by IP address" event action does not recognize the Framed IP.  Is there a method to unQuarantine based upon Framed IP?  Or do I need to write a transform on Splunk to create a new data field called IP Address to match the included unQuarantine by IP address method?

Endpoint known as  Framed-IP-Address=1.2.3.100

XML Parsing Error: no element found

Location: https://10.100.100.100/admin/API/eps/unQuarantineByIP/1.2.3.100

Line Number 1, Column 1:

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎08-11-2016 10:40 AM

Hi,

You will need duplicate the Unquarantine by IP Address workflow action. Then selected the duplicated workflow action and replace the $IPAddress$ variable under "label" with $Framed_IP_Address$.  Also you will want to replace the $IPAddress$ with $Framed_IP_Address$ under "Apply only to the following fields".  Replace $IPAddress$ with $Framed_IP_Addess$ under "URI".   Also as Hsing-Tsu suggested "UnQuarantineByIP" is case-sensitive under "URI"

If you still have issues, please email me.

Thanks,

John

jeppich@cisco.com

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-11-2016 10:02 AM

https: //(ISE MnT ipaddress)/admin/API/eps/UnQuarantineByIP/{endpoint IP}

Try Capitalizing UnQuarantineByIP or reach out to John.

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎08-11-2016 10:40 AM

Hi,

You will need duplicate the Unquarantine by IP Address workflow action. Then selected the duplicated workflow action and replace the $IPAddress$ variable under "label" with $Framed_IP_Address$.  Also you will want to replace the $IPAddress$ with $Framed_IP_Address$ under "Apply only to the following fields".  Replace $IPAddress$ with $Framed_IP_Addess$ under "URI".   Also as Hsing-Tsu suggested "UnQuarantineByIP" is case-sensitive under "URI"

If you still have issues, please email me.

Thanks,

John

jeppich@cisco.com

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents