Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
970
Views
6
Helpful
7
Replies

Notification when a new endpoint is first seen in ISE

Go to solution
pascaleob
Level 1
Level 1

‎12-20-2024 02:39 AM

Hi there,

I'm trying to find a way to create an email notification, whenever a new endpoint is first recognized.
Blocking access for unauthorized devices is fine and dandy, but we'd also like to actually receive an alert, the instant something is plugged in, that shouldn't be there. Especially in a network that doesn't get new devices added very often. The idea being that this could indicate unauthorized physical access.

From older forum posts, I saw that this was requested before, but I couldn't really find any further information whether it's an option now, or any real solution.

The "FirstCollection" value from the Get All Endpoints csv, that can be generated through "application configure ise", gave me the idea that I could possibly simply run those values against the current date/time, to see if anything has been added recently, but since this value doesn't seem to be accessible through the API and we'd like to be close to real time with this kind of device monitoring, the idea of generating that csv through the ISE's cli every 2 minutes, copying it to a log server and then running the comparison there seems really icky.

Is there a better way to do this?

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-20-2024 07:05 AM - edited ‎12-20-2024 07:20 AM

This is not something ISE does. However it does have several mechanisms to help you achieve this.

Data Connect: Query the ISE MNT database directly using an ODBC client with the endpoints_data table and the create_time field. My iseql.py script can show you this using the endpoints_first_auth.sql query and you may adjust the time interval to suite your query frequency:

 

❱ iseql.py "$(cat data/SQL/endpoints_first_auth.sql)" -f table
mac_address        rand    created              endpoint_ip    endpoint_policy          cf    ver
-----------------  ------  -------------------  -------------  ---------------------  ----  -----
9A:66:6C:99:64:8E  ✔       2024-12-19 22:22:40                 Randomized-MAC            4      1
9C:8E:CD:29:B6:5A          2024-12-19 22:10:05                 Unknown                   0      1
02:EF:5D:7D:7D:E3  ✔       2024-12-19 22:05:00                 Randomized-MAC            4      1
B0:A7:B9:0B:7D:3A          2024-12-19 19:22:46  10.1.23.14     Windows10-Workstation    40      1

 

 

For our webinars featuring Data Connect, see
▷ How to Get Data Out of ISE 2024-04-02
▷ Next Generation ISE Telemetry, Monitoring, and Custom Reporting Part 2 2023-03-02

Syslog: every ISE PSN may send logs to a SIEM. Create filter/event/action rules there to detect new endpoints.

pxGrid: this is a real-time subscription notification mechanism for every new session used by ISE security integration partners. Create your own pxGrid Client to get instantly notified and do your own filter/event/action functions for your needs.

View solution in original post

7 Replies 7

Go to solution
ammahend
VIP Alumni
VIP Alumni

‎12-20-2024 04:09 AM

Don’t think there is such feature, however you can always do a report for a specific authrrization policy, and schedule the report at the end of the day. Most likely the new endpoints will hit a specific policy redirect or default. This way you get a summary report of those endpoints. 

-hope this helps-
0 Helpful

Go to solution
pascaleob
Level 1
Level 1
In response to ammahend

‎12-20-2024 05:47 AM

Sadly a report at the end of the day is far from the semi-real-time notification we're looking for.

Go to solution
Marcelo Morais
VIP
VIP

‎12-20-2024 05:45 AM - edited ‎12-20-2024 05:45 AM

Hi @pascaleob 

the ElapsedDays attribute (number of days since the object was created) might be a good starting point.

 

The Get All Endpoints generates a CSV file with a Full Report of your Endpoints, including the ElapsedDays attribute:

ise/admin# application configure ise

Selection configuration option
...
[16]Get all Endpoints
...

 

Automating this procedure may be what you are looking for ... I hope it gives you some direction !!!  : )

 

Note: a couple of years ago I created the following IdeaISE: possibility to add InactiveDays and ElapseDays as Columns of the Context Visibility , to have a better visualization of these two important attributes ... still waiting for this Enhancement !!!

 

0 Helpful

Go to solution
pascaleob
Level 1
Level 1
In response to Marcelo Morais

‎12-20-2024 05:53 AM

As mentioned in my post, I've already been using this exact csv and ElapsedDays is far too imprecise, which is why I've been working with "FirstCollection" as a base, instead.

To achieve what I'm aiming for here, I would have to basically generate a fresh csv every few minutes, which I could do through an automated script, but it really isn't a pretty solution.

Go to solution
Marcelo Morais
VIP
VIP
In response to pascaleob

‎12-20-2024 06:27 AM

@pascaleob totally agreed !!!

 that's one of the reasons that a couple of year ago I created the ISE: possibility to add InactiveDays and ElapseDays as Columns of the Context Visibility idea.

 Giving visibility to ElapsedDays would be the 1st step towards what you are looking for.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-20-2024 07:05 AM - edited ‎12-20-2024 07:20 AM

This is not something ISE does. However it does have several mechanisms to help you achieve this.

Data Connect: Query the ISE MNT database directly using an ODBC client with the endpoints_data table and the create_time field. My iseql.py script can show you this using the endpoints_first_auth.sql query and you may adjust the time interval to suite your query frequency:

 

❱ iseql.py "$(cat data/SQL/endpoints_first_auth.sql)" -f table
mac_address        rand    created              endpoint_ip    endpoint_policy          cf    ver
-----------------  ------  -------------------  -------------  ---------------------  ----  -----
9A:66:6C:99:64:8E  ✔       2024-12-19 22:22:40                 Randomized-MAC            4      1
9C:8E:CD:29:B6:5A          2024-12-19 22:10:05                 Unknown                   0      1
02:EF:5D:7D:7D:E3  ✔       2024-12-19 22:05:00                 Randomized-MAC            4      1
B0:A7:B9:0B:7D:3A          2024-12-19 19:22:46  10.1.23.14     Windows10-Workstation    40      1

 

 

For our webinars featuring Data Connect, see
▷ How to Get Data Out of ISE 2024-04-02
▷ Next Generation ISE Telemetry, Monitoring, and Custom Reporting Part 2 2023-03-02

Syslog: every ISE PSN may send logs to a SIEM. Create filter/event/action rules there to detect new endpoints.

pxGrid: this is a real-time subscription notification mechanism for every new session used by ISE security integration partners. Create your own pxGrid Client to get instantly notified and do your own filter/event/action functions for your needs.

Go to solution
pascaleob
Level 1
Level 1
In response to thomas

‎12-20-2024 07:25 AM

Awesome!

I think Data Connect and your script might be the ideal solution here. A DB request for basically create_time > (current time - 2 minutes) sent every 2 minutes also won't create a lot of load.

Thank you VERY much!

Customers Also Viewed These Support Documents