View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0223 - ISE 2.0 Adaptive Network Control (ANC) (Part 1)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0223 - Video Download $11.00
Purchase SEC0223 - Video Download $11.00
The video looks at Adaptive Network Control (ANC) feature on Cisco ISE 2.0 and how it can be used to quarantine endpoint devices similarly to its legacy feature called Endpoint Protection Service (EPS). This lab exercise includes creating and testing ANC policies with various type of actions. At the end, we will demonstrate the use of SGT with ANC to leverage SGACL to limit quarantined device network access.
Part 1 of this video covers ANC policies creation and testing
  • Adaptive Network Control (ANC)
  • ANC Policy
    • Quarantine
    • Remediate
    • Shutdown
    • Port Bounce
    • Provisioning
  • Security Group Tag (SGT) with ANC
  • Endpoint Protection Services (EPS)

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


1) When i'm trying to activate ANC, it asks me to activate pxGrid first.
I see that just enabling it under Administration/Deplyment isn't enough, so do i have to fully configure pxGrid (Integrate with AD) in order to activate ANC ?

2) Also i want to know, if there is any way to somehow match traffic from specific VLAN (Like for Wireless, where you match incoming traffic only from specific SSID by using "called-station-ID" radius attribute)

I tried this options to match traffic from VLAN 21 (Under Conditions) but its not working as expected:

Tunnel-Private-Group-ID = 1:21
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6

My Goal is to do something like that:
Push Redirect-ACL and redirect traffic to Guest Portal, only if traffic is coming from Guest VLAN.

1) We do not recall having to enable pxGrid as a prerequisite to ANC. You should be able to create ANC policy and use them under Authorization policy.

2) You can look at the detail of authentication request ISE receive from the switch and see which RADIUS attributes are sent to ISE. We do not recall VLAN ID being one of them. If it is not there, you might not be able to do what to want. Any reason why you can't have all interfaces start in Guest VLAN and have ISE return redirect ACL for MAB, and production VLAN for .1x etc.

I'm really stuck in here.

When I'm trying to configure ANC policies under Operations/ANC/Policy List, I'm getting error:
"Enable pxGrid before performing ANC operations"

pxGrid is enabled under Administration/System/Deployment but when i checked it from CLI (show application status ise), it gives me this result:

pxGrid Infrastructure Service initializing
pxGrid Publisher Subscriber Service initializing
pxGrid Connection Manager initializing
pxGrid Controller initializing

Under Administration/pxGrid Services, it says "No connectivity to pxGrid node"

So, is it mandatory to have separate ISE node for pxGrid ? Can't i just activate it on STANDALONE mode ?

As you can see on our videos, we are running a single standalone mode and able to run both ANC and pxGrid just fine. What version of ISE and patch number are you trying this on? Is this a lab or production?

The Version is 2.0, Patch 3.
Not production, but some services are being tested on production users.
I don't really need pxGrid and ANC, i just want to understand why i cant make it work.
Maybe one day ill try to add one more VM machine and configure it as pxGrid node. This is my last hope.

You can try to set up a lab and see if it works. Do a fresh install and configure ANC. Try without a patch first and if it works, apply patch and try again.