cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2389
Views
5
Helpful
4
Replies

pxGrid between ISE and FTD and remediation policy

ciscoworlds
Level 4
Level 4

Hi;

I have this simple topology:

test.png

 

Conditions:

  1. I configured Realm and downloaded user & groups on FMC.
  2. I configured pxGrid between FTD and ISE and they are up and running.
  3. I configured a correlation policy on FTD so if any malware is detected, it sends quarantine response to ISE.
  4. I have a authorization rule on ISE which is above all other rules and matches with packets marked as Quarantine by FTD.

 

ISE authorization rule:

ise05.jpg

 

Correlation policy on FTD:

ftd6.jpg

 

The remediation config is simple as below:

ftd7.jpg

 

just for reference, the pxGrid config on FTD is just like this:

ftd8.jpg

 

The problem is, a wired client with static IP address is successfully authenticated by native windows dot1x with domain credentials but it matches the ISE rule that I've mentioned above and get quarantined. I don't know why it matches that rule on FTD! This is the portion of the ISE RADIUS live logs which shows this match:

 

 

24323	Identity resolution detected single matching account
 	24343	RPC Logon request succeeded - user02@xinmix.local
 	24402	User authentication against Active Directory succeeded - xinmix
 	22037	Authentication Passed
 	11814	Inner EAP-MSCHAP authentication succeeded
 	11519	Prepared EAP-Success for inner EAP method
 	12314	PEAP inner method finished successfully
 	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 	15036	Evaluating Authorization Policy
 	15048	Queried PIP - Radius.NAS-Port-Type
 	15048	Queried PIP - EndPoints.LogicalProfile
 	15048	Queried PIP - Session.EPSStatus
 	15016	Selected Authorization Profile - TQuarantine
 	11022	Added the dACL specified in the Authorization Profile

 

Despite that FTD should mark only malwares as quarantine and inform ISE to block only clients downloading malware through pxGrid, It seems that FTD marks "all of the packets" as quarantine, so the ISE sees those packets' status "ESPStatus include Quarantine" and then blocks them. any Idea?

1 Accepted Solution

Accepted Solutions

Possibly the endpoint was previously quarantined?

We may click on the "EPS unquarantine" button at [ Operations > Adaptive Network Control > Endpoint Assignment ] and then input the MAC address to clean it up. If this does not help, please open a TAC case.

View solution in original post

4 Replies 4

ciscoworlds
Level 4
Level 4

I think I missed some configuration on ISE. Otherwise, why a normal dot1x client triggers correlation policy on FTD and get blocked by ISE? Any idea?

ciscoworlds
Level 4
Level 4

Update: I reviewed correlation and remediation event logs on FTD but interestingly, there is no any log there! It shows that no any correlation/remediation took place on FTD. So if this was true, why ISE matches packets with the "Session: EPSStatus equals Quarantine" condition?! 

For test, I deleted the Response of the correlation rule on FTD, so there should be no any active correlation rule on FTD. But again, the dot1x client matched the same Quarantine rule on ISE. I think this behavior doesn't have anything to do with FTD and pxGrid. ISE matches every packet with "Session: EPSStatus equals Quarantine" condition. But why?!

Possibly the endpoint was previously quarantined?

We may click on the "EPS unquarantine" button at [ Operations > Adaptive Network Control > Endpoint Assignment ] and then input the MAC address to clean it up. If this does not help, please open a TAC case.

It worked after I put the machine's MAC address in EPS unquarantine field. Thanks you.