Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
848
Views
0
Helpful
4
Replies

Rapid Threat Containment with ISE and FMC not working correctly

AFAWZY
Level 1
Level 1

‎11-09-2023 04:50 AM

i was trying to implement RTC, but it didn't work correctly with me. I'm running ISE3.2 and FMC7.0.4,

I should post screenshots for the configuration , but i won't be able to access the client network. so, these are the configured steps:

From FMC side:

  1. I have configured an ACP rule which allowing ICMP traffic from specific host IP to the ISE IP, and a correlation rule which matching a “connection event occurs” sourced from an initiator IP.
  2. I configured “pxgrid ANC policy assignment” remediation instance, with a “mitigate source” as remediation type, “ shutdown-ANC-policy configured at ISE” as ANC policy.
  3. I configured a correlation policy and associated the configured correlation rule with it and associated the remediation instance to the correlation rule.

From ISE side:

  1. I configure an ANC policy with “shutdown” as action.
  2. I configured an authorization policy – exception with a condition “session:ANCpolicy EQUALS the ANC policy configured on ISE” which pass a DACL to the interface allowing all traffic with a “ Permit Access.

From Switch side:

1- i configured the required configuration for dot1x and COA

2- i did not configure ip device tracking.

But from test respective:

  1. I successfully configured the PxGrid integration between them and the FMC successfully could retrieve the ISE attributes.
  2. I checked the connection and correlation events from FMC side , and it’s matching the created rules correctly.
  3. ISE couldn’t get the MAC address of the test endpoint (initiator IP) automatically to be assigned to the configure ISE ANC policy
  4. Even if I assigned the MAC address for the ISE ANC policy, only the configured DACL passed to the interface, but the shutdown action not done.

 

So, I need to understand the following :

  1. why ISE could not get the MAC address automatically ?
  2. why the shutdown action could not be done even if I added the MAC address manually to the ANC policy at ISE ?
  3. Is it must to configure a passive authentication for the FMC ACP rule to make RTC work correctly ?
  4. is there a missing configuration from switch side ?
  5.  are the used versions compatible from pxgrid prespective ?
0 Helpful
4 Replies 4

ahollifield
VIP
VIP

‎11-09-2023 10:10 AM

"2- i did not configure ip device tracking."  DACLs will not work without this enabled on the switch.

  1. Is it must to configure a passive authentication for the FMC ACP rule to make RTC work correctly ?
    1. No
  2. is there a missing configuration from switch side ?
    1. Yes you need ip device tracking for dACLs to work
  3.  are the used versions compatible from pxgrid prespective ?
    1. Yes

 

0 Helpful

AFAWZY
Level 1
Level 1
In response to ahollifield

‎11-09-2023 11:00 AM - edited ‎11-09-2023 11:02 AM

Thank you ahollifield for your reply.

The DACL worked fine , but as i noticed at RTC Cisco videos , ISE should retreive the mac address of the endpoint automatically.

but this what i noticed from my test:

 

  • ISE couldn’t get the MAC address of the test endpoint (initiator IP) automatically to be assigned to the configured ISE ANC policy
  • Even if I assigned the MAC address for the ISE ANC policy, only the configured DACL passed to the interface and it worked fine, but the shutdown action not done.

 

so,

 

  • why ISE could not get the MAC address automatically ?
  • why the shutdown action could not be done even if I added the MAC address manually to the ANC policy at ISE ?

 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to AFAWZY

‎11-10-2023 07:27 PM

@AFAWZY  Please check ISE active sessions view and ensure ISE is getting both the IP address and the MAC address of the client endpoint. Also, you should see ISE initiate an CoA action to the switch after ISE assigns the endpoint's IP address with an ANC policy with shutdown action, this CoA should have the option to shutdown the switch interface, and the switch should respond with success for the CoA action. If any of these not happening, please engage Cisco TAC to troubleshoot.

0 Helpful

AFAWZY
Level 1
Level 1

‎11-24-2023 03:36 PM

@hslai I checked the active sessions previously and ISE got IP address and the MAC address of the client endpoint.

regarding to this point that you refrenced : "you should see ISE initiate an CoA action to the switch after ISE assigns the endpoint's IP address with an ANC policy with shutdown action",  ISE couldn't assigns the endpoint's IP address with an ANC policy with shutdown action. (this is my primary issue)

 

and how can i set the COA action to be shutdown from the ISE side , i only see ( reauth - portbounce - no COA ) at profiling settings.?????

how can i see ISE initiate an CoA action ?

 

 

0 Helpful
Customers Also Viewed These Support Documents