Thanks Mike. Your resolution is related to MNT API which doesn't work for my requirements(quarantine/un-quarantine endpoints). 

If you only have one ISE node, there should not be an issue with pulling session information like there might be with a separate MnT node.

Does ISE show the correct IP address in the Live Logs and Context Visibility for the specific MAC address?

Are you using the latest patch for 2.7? What does the payload of your API call look like?

I tested the following JSON payload in my lab with the 'ancendpoint/apply' call in ISE 3.0 p4 and it worked as expected. The API doco for this call in 2.7 is the same as 3.0, so a similar payload should work.

{
  "OperationAdditionalData" : {
    "additionalData" : [ {
      "name" : "ipAddress",
      "value" : "192.168.140.107"
    },
{
      "name" : "policyName",
      "value" : "ANC-Quarantine"
    }]
  }
}

Hi Greg,

The version of my ISE is v2.7 patch 5 which should be the latest patch for V2.7.

The payload I requested is like this:

I can see MAC and IP address of endpoints in Context Visibility. These endpoints and Cisco ISE itself have already been in the same AD. 

But if we come to Live Logs and Live Sessions of Radius, there are nothing inside.

I'm not sure if the empty raises the error of "Session lookup failure". I am totally a fresh man for Cisco ISE. Could you tell me how can I successfully to execute REST API to quarantine endpoint like 172.16.69.201 in the next step?

Thanks so much

If you're not seeing any RADIUS live logs/sessions, this is a bigger problem than the API. I would suggest reviewing the ISE Secure Wired Access Prescriptive Deployment Guide to compare it to your setup and ensure you have all the necessary RADIUS configuration applied to your switch.

Once ISE and the switch are correctly tracking the RADIUS sessions, the ANC Quarantine configuration is pretty simple.

You create an ANC Policy (in my case, called ANC-Quarantine) with the QUARANTINE action...

... create an AuthZ Profile that applies the controls you want (dACL, dVLAN, etc), and create an AuthZ policy or Global Exception rule that uses the Session·ANCPolicy EQUALS <policy name> matching condition and applies your AuthZ Profile.

Thanks Greg. I'll review this guide. First of all, I want to ask 2 basic questions:

1. is it possible to have Radius session just between endpoints(let's say one Windows 10 endpoint) and ISE, especially when both of endpoints and ISE are VMs? Because our team is still investigating Cisco ISE. We don't want to make the investigation process too complicated, like introduce other network components into the network topology. 

2. is it possible to un-quarantine endpoints by REST API in Cisco ISE? I looked up some documents on-line. Many of the documents mentioned ISE has no longer supported un-quarantine operation. Could you help me to check this point?

Hi @zhaoz,

In response to your question:

1. I'm not sure I understand the question, but it sounds like you might be asking if it's possible to initiate a RADIUS directly between a Win10 VM and an ISE VM without a network device like a switch between them. That is not a standard feature of a client native supplicant. The supplicant talks 802.1x between the client and authenticator (e.g. switch) and the authenticator speaks RADIUS to the authentication server (ISE). There are some test software applications out there that can initiate a RADIUS request directly, but that is not the same as a true client. In my lab setup, I use the following:
   • Win10 VM, connected to a separate vSwitch
   • vSwitch using an isolated NIC for uplink
   • Isolated NIC connected to my Cisco switch access port, configured for NAC
2. Yes, the API call for 'ancendpoint/clear' will remove the endpoint from the ANC Policy. This will remove the attribute for 'Session·ANCPolicy EQUALS <policy name>' and clear the session. The client will reauthenticate (it used to issue a CoA but, in ISE 3.0, I can see the endpoint session disappear from ISE and the switch for a few seconds and then a new session is created) and be authorised based on the non-ANC policy results.

thanks @Greg Gibbs . You have inspired me so much. I went over the deployment guide you posted. Right now there is one session in Live Sessions. Woohoo! But, the most confused thing is: IP Address is empty. Could you help me to figure out what I missed? 

Is the endpoint getting an IP address? If not, you may need to ensure you have an 'ip helper' address configured on the VLAN interface to forward to your DHCP server.

If you're getting an IP on the endpoint, but ISE is not receiving the IP info from the switch you should look into your Device Sensor and IP Device Tracking configuration on the switch. Both are covered in that guide. If you're using an older switch and/or software, you might need to use different configs for those features. It would help to know what switch hardware/software you're using.

IP Device Tracking is responsible for capturing the IP address of the endpoint in the switch and mapping it to the MAC address, and Device Sensor is responsible for communicating that information to ISE via RADIUS accounting.

You can check what the switch knows using the following commands:

show ip device tracking interface <int>
!
show device-sensor cache interface <int>

sorry, I forgot to mention one thing: the switch is from other vendor (Fortinet) rather than Cisco. Cause I have no authority to download the iso file of E8000v.

Moreover, the endpoint is getting an IP address. 

Device Sensor and IP Device Tracking are introduced in the guide. But they are the features only developed by Cisco. Are there some ways to have IP address of endpoint across non Cisco switch(like Fortinet switch)?

yep, fair enough. Thank you so much Greg.

hi Greg,

I referenced your suggestions and got a big progress on the topic. right now IP address shows up there!

However, the AVPs of Disconnect Request sent from ISE didn't included the attributes I defined in Network Device Profiles.  FortiSwitch is the 3rd party device which requires "User-Name" attribute included in CoA/Disconnect Request. This snapshot is the packets dumped from the built-in tcpdump tool of ISE: Diagnostic Tools > TCP Dump, I didn't find User-Name in AVPs of Disconnect Request. 

But actually I created a new Network Device Profile named "FTNTWired" which includes User-Name attribute in Disconnect.

And applied this profile on Device Profile when configuring Network Devices.

I also created a new authorization profile named "ftnt_quarantine_profile" and applied the device profile in the box of "Network Device Profile" as well. furthermore I added Framed-IP-Address to Advanced Attributes Settings like below.

In Authorization Policy, I set condition to ftnt_quarantine which means ANC policy is quarantine, and applied ftnt_quarantine_profile on Results Profiles. when I sent one IP addr with ANC policy by REST API, I can see Hits was incremented by 1 like below.  

To my understanding, "Hits" means the authorization policy is matched, right? But just like the packets showed above, neither User-Name nor Framed-IP-Address show up in AVP of Disconnect Request. Did I miss something?