View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0223 - ISE 2.0 Adaptive Network Control (ANC) (Part 2)

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0223 - Video Download $11.00
Purchase SEC0223 - Video Download $11.00
The video looks at Adaptive Network Control (ANC) feature on Cisco ISE 2.0 and how it can be used to quarantine endpoint devices similarly to its legacy feature called Endpoint Protection Service (EPS). This lab exercise includes creating and testing ANC policies with various type of actions. At the end, we will demonstrate the use of SGT with ANC to leverage SGACL to limit quarantined device network access.
Part 2 of this video covers a use of SGT with ANC
  • Adaptive Network Control (ANC)
  • ANC Policy
    • Quarantine
    • Remediate
    • Shutdown
    • Port Bounce
    • Provisioning
  • Security Group Tag (SGT) with ANC
  • Endpoint Protection Services (EPS)

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Cisco ISE now working with Stealthwatch. Are you have any planning making a series about it ? It would be great

ISE integration with SMC is also via pxGrid which is very similar to integrating with FMC as far as configuration on ISE. For config on SMC, Cisco has a good document on it so we do not have plan to create video at this time.

I have a topology as below :
I config authentication with Cisco ISE on Sw1. SW2 only have vlan assign configure. If i connect Endpoint (Laptop, IP-phone) to SW1 then everything work fine. Both Dot1x and MAB authentication success. But when i connect Endpoint to Sw2. Only IP-phone authentication success with MAB method. Then i un-plug my laptop and re-connect to SW1. It still authencation faild. I use command "show authentication session" and the output point that my laptop still in the port connect to Sw2 (Port G1/0/1 for example) which not true. Then i use command "show mac address-table interface g1/0/5" the output like below :
Mac Address Table

Vlan Mac Address Type Ports
---- ------------------ ----------- -----
14 0007.3b93.92fc DYNAMIC DROP
Total Mac Addresses for this criterion: 1

The authentication log keep alert that my laptop authentication on port G1/0/1(connect to Sw2) which my laptop not connect to it anymore. I must un-plug port connect to Sw2 and then re-plug my laptop to Sw1 and only then my laptop authentication success again. I think when i un-plug the port connect to Sw2, mac address table on that port be clear and then i plug my laptop a again, my laptop's mac-address is accepted on new port so it authentication success. And after some testing, i can't not authentication my laptop anymore. Though i connect directly to Sw1 which i configure authentication on it. I can make sure 100% that i type the credential right. But it still failed and even i change credential to another user. It still failed. So i guess, ISE was block my laptop after some failure authentication.

For update,
After a period of time, with no configure change and same user. My laptop authentication success again when i connect to Sw1. So i pretty sure there is an block funtion after some authentication failure by default on ISE.

ISE by default blocks endpoint that repeatedly fails authentication. The settings can be found under Admin > Settings > Protocol > RADIUS

Thanks alot. I have found it. And one more problem that i has ask before is about another Switch connect to switch that config authentication. For example : I config authentication on SW2960-XR and then i connect another Switch without authentication config on it to 2960-XR. I connect Endpoint to that Switch. Ip-phone working fine with MAB method. But PC can't authentication with dot1x. It say that dot1x failed though i type the right credentical. So i Think there is some config i need to make right ?

If ISE report successfuly user authentication then the chances are the config on the switch is incorrect. Run some debug and see if it gives you any more info.Also try 'multi-domain' if not already.

Which Switch you mention here ? Cause when i connect laptop to Distribute Switch (2960XR), laptop authentication success. But when i connect it to Access Switch (2960+) it authentication failed even with same credentical. On Access Switch, i only config vlan assign and nothing more. I think the config on Distribute Switch must be right then laptop can authentication success. I mean there is any config i need to add on Access Switch ?

It should not matter which switch you have the laptop connected to. If it works on the distribution but not access, you might want to compare the config and try to match the IOS version.

You mean Access Switch must be same IOS version with Distribute Switch right ?
Here is my config on Distribute Switch :
config terminal
no ip domain lookup
lin con 0
logg syn
hostname POC-SW1

ip domain-name Pru-POC
username admin password 123456
enable secret 123456
crypto key generate rsa general-keys modulus 1024

vtp mode tran

vlan 195
name DATA
vlan 14
name voice

int range g1/0/1-12
spanning portfast
switchport access vlan 195
switchport voice vlan 14

int vlan 195
ip add
no shut

ip default-gateway

int g1/0/48
switchport acce vla 195
switchport voice vla 14

aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
aaa accounting update periodic 5
radius-server host auth-port 1812 acct-port 1813 key abcd2314

radius-server dead-criteria tries 2
radius-server deadtime 3
radius-server vsa send authentication
radius-server vsa send accounting
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
mac address-table notification change
mac address-table notification mac-move
mac address-table notification change interval 0
authentication mac-move permit

ip radius source-interface vlan 195

aaa server radius dynamic-author
client server-key abcd2314

dot1x system-auth-control
ip device tracking
logging console information

interface range g1/0/1-8
switchport host
authentication host-mode multi-auth
authentication event server dead action authorize vlan 195
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
And config on Access Switch :
conf t
vlan 195
name DATA
vlan 14
name VOICE

int range f1/0/1-24
switchport access vlan 195
switchport voice vlan 14

There doesn't appear to be any .1x config on access switch interfaces f1/0/1-24. Is that correct?

Hi Labminutes team,
I just want to thank to all your help. Thank you very much. I wish you guys have a best holiday with your family. Merry christmas and happy new year :D
Best regards,

Thank you on behalf of Lab Minutes team. Your continued support is much appreciated. Merry Christmas and happy holidays.

Yes. Access Switch don't have .1x enable on it. Only VLAN Assign on it. Previously, i do something familar with this. I configure .1X on Cisco 2960-24P, Endpoints don't connect directly to Cisco 2960-24P. Endpoints connect directly to Tenda Wifi. Tenda Wifi just kind of access point. It have 1 WAN port and 4 LAN port. All connection between Cisco 2960-24P and Tenda Wifi, Tenda Wifi and Endpoints is Wired. I don't enable .1X on Tenda Wifi but Endpoint still Authentication success with method .1X . So i think i can replace Tenda Wifi with Cisco Switch and it will work. But clearly, it not working.

.1x should always be enabled at the edge port if the edge switch supports it. If you have access point connected to .1x switch, typically .1x is done on the WLAN and .1x on the switchport is not needed as wireless client cannot authenticate .1x against switchport.

Thanks you gúy alot! Have a good day!

Lab Minutes Classifieds