07-24-2018 04:55 AM - edited 07-24-2018 05:09 AM
Hi;
I have this simple topology:
Conditions:
ISE authorization rule:
Correlation policy on FTD:
The remediation config is simple as below:
just for reference, the pxGrid config on FTD is just like this:
The problem is, a wired client with static IP address is successfully authenticated by native windows dot1x with domain credentials but it matches the ISE rule that I've mentioned above and get quarantined. I don't know why it matches that rule on FTD! This is the portion of the ISE RADIUS live logs which shows this match:
24323 Identity resolution detected single matching account 24343 RPC Logon request succeeded - user02@xinmix.local 24402 User authentication against Active Directory succeeded - xinmix 22037 Authentication Passed 11814 Inner EAP-MSCHAP authentication succeeded 11519 Prepared EAP-Success for inner EAP method 12314 PEAP inner method finished successfully 24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory 15036 Evaluating Authorization Policy 15048 Queried PIP - Radius.NAS-Port-Type 15048 Queried PIP - EndPoints.LogicalProfile 15048 Queried PIP - Session.EPSStatus 15016 Selected Authorization Profile - TQuarantine 11022 Added the dACL specified in the Authorization Profile
Despite that FTD should mark only malwares as quarantine and inform ISE to block only clients downloading malware through pxGrid, It seems that FTD marks "all of the packets" as quarantine, so the ISE sees those packets' status "ESPStatus include Quarantine" and then blocks them. any Idea?
Solved! Go to Solution.
07-28-2018 01:42 PM
Possibly the endpoint was previously quarantined?
We may click on the "EPS unquarantine" button at [ Operations > Adaptive Network Control > Endpoint Assignment ] and then input the MAC address to clean it up. If this does not help, please open a TAC case.
07-25-2018 12:59 AM
I think I missed some configuration on ISE. Otherwise, why a normal dot1x client triggers correlation policy on FTD and get blocked by ISE? Any idea?
07-27-2018 03:37 AM - edited 07-27-2018 04:44 AM
Update: I reviewed correlation and remediation event logs on FTD but interestingly, there is no any log there! It shows that no any correlation/remediation took place on FTD. So if this was true, why ISE matches packets with the "Session: EPSStatus equals Quarantine" condition?!
For test, I deleted the Response of the correlation rule on FTD, so there should be no any active correlation rule on FTD. But again, the dot1x client matched the same Quarantine rule on ISE. I think this behavior doesn't have anything to do with FTD and pxGrid. ISE matches every packet with "Session: EPSStatus equals Quarantine" condition. But why?!
07-28-2018 01:42 PM
Possibly the endpoint was previously quarantined?
We may click on the "EPS unquarantine" button at [ Operations > Adaptive Network Control > Endpoint Assignment ] and then input the MAC address to clean it up. If this does not help, please open a TAC case.
08-03-2018 01:13 AM
It worked after I put the machine's MAC address in EPS unquarantine field. Thanks you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide