View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0223 - ISE 2.0 Adaptive Network Control (ANC) (Part 1)

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video looks at Adaptive Network Control (ANC) feature on Cisco ISE 2.0 and how it can be used to quarantine endpoint devices similarly to its legacy feature called Endpoint Protection Service (EPS). This lab exercise includes creating and testing ANC policies with various type of actions. At the end, we will demonstrate the use of SGT with ANC to leverage SGACL to limit quarantined device network access.
 
Part 1 of this video covers ANC policies creation and testing
 
Topic:
  • Adaptive Network Control (ANC)
  • ANC Policy
    • Quarantine
    • Remediate
    • Shutdown
    • Port Bounce
    • Provisioning
  • Security Group Tag (SGT) with ANC
  • Endpoint Protection Services (EPS)

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

21 comments

1) When i'm trying to activate ANC, it asks me to activate pxGrid first.
I see that just enabling it under Administration/Deplyment isn't enough, so do i have to fully configure pxGrid (Integrate with AD) in order to activate ANC ?

2) Also i want to know, if there is any way to somehow match traffic from specific VLAN (Like for Wireless, where you match incoming traffic only from specific SSID by using "called-station-ID" radius attribute)

I tried this options to match traffic from VLAN 21 (Under Conditions) but its not working as expected:

Tunnel-Private-Group-ID = 1:21
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6

My Goal is to do something like that:
Push Redirect-ACL and redirect traffic to Guest Portal, only if traffic is coming from Guest VLAN.

1) We do not recall having to enable pxGrid as a prerequisite to ANC. You should be able to create ANC policy and use them under Authorization policy.

2) You can look at the detail of authentication request ISE receive from the switch and see which RADIUS attributes are sent to ISE. We do not recall VLAN ID being one of them. If it is not there, you might not be able to do what to want. Any reason why you can't have all interfaces start in Guest VLAN and have ISE return redirect ACL for MAB, and production VLAN for .1x etc.

I'm really stuck in here.

When I'm trying to configure ANC policies under Operations/ANC/Policy List, I'm getting error:
"Enable pxGrid before performing ANC operations"

pxGrid is enabled under Administration/System/Deployment but when i checked it from CLI (show application status ise), it gives me this result:

pxGrid Infrastructure Service initializing
pxGrid Publisher Subscriber Service initializing
pxGrid Connection Manager initializing
pxGrid Controller initializing

Under Administration/pxGrid Services, it says "No connectivity to pxGrid node"

So, is it mandatory to have separate ISE node for pxGrid ? Can't i just activate it on STANDALONE mode ?

As you can see on our videos, we are running a single standalone mode and able to run both ANC and pxGrid just fine. What version of ISE and patch number are you trying this on? Is this a lab or production?

The Version is 2.0, Patch 3.
Not production, but some services are being tested on production users.
I don't really need pxGrid and ANC, i just want to understand why i cant make it work.
Maybe one day ill try to add one more VM machine and configure it as pxGrid node. This is my last hope.

You can try to set up a lab and see if it works. Do a fresh install and configure ANC. Try without a patch first and if it works, apply patch and try again.

Hi,
when i enabled the ANC as per video step by step , adding exception matching policy i have created ,
i faced very strange issue , i am having authorization rule that is matching PAP ASCII traffic for admin users and the result is a profile that gives that user privilege x , after creating the exception policy , all the admins no longer able to access the devices using the aaa radius account , and only works again after i disable the exception rule , any ideas
BR

Are you using RADIUS device admin? Can you provide authorization condition for both exception rule and the regular rule down below?

yes i am using RADIUS for the network devices , as for the exception policy , i did the exact one as per video , matching ANC policy name and then the result to deny all ,
and the rule that get effects matches only users Group and result to grant them priv level 15
each time i enable the exception policy , the Radius Users no longer able to access the network devices
thanks in advance for your feedback
BR

Interesting. Nothing should match the ANC exception rule unless the endpoint MAC address is added to the ANC policy. Does it affect everyone or certain user? What ISE version and patch are you running? If you review RADIUS detail log, does it indicate the endpoint is under an ANC policy?

i am running ver 2.0 , the rule does affect all the users in the admin groups , and those who gets denied have different MAC addresses than the ones on the Policy

This could be a bug then. You might want to check with Cisco on this one. You might also want consider creating a separate Policy Set just for RADIUS device admin. 

Hi ,
it worked with the old fashion , that i had configured exception based on EPS flow equal quarantine
but now , but i faced another issue that the remote users at the branches when try to quarantine one of them , it does not work !!
any Ideas
BR

So with EPS, you add MAC address to EPS group correct? When you said it did not work for the branch, did it not match the EPS policy and just went through to the auth policies underneath? If so, check RADIUS detail log or endpoint detail and look for the endpoint EPS status.

facing same issue with ISE2.2 , are you able to get any solutions ?

the problem now is i still need to apply using ANC policy as i will use PX-grid integration , i need to find a solution for the PAP ASCII issue
what do you think

Most pxGrid integration used for quarantine today like Firepower and Stealthwatch still use EPs and not ANC. Not saying problem ANC shouldn't be fixed. Something is definitely not working correctly there. You may want to reach out to TAC to get to the root of problem. Worst case, you can also try to separate .1x and Device Admin to two separate Policy Set so they won't interfere with each other.

Hi, Can we use Central Web Authentication for Wire connect or it only working for wireless connect ?

Absolutely. As long as you configure the switch properly and send redirect URL from ISE, user should be redirected to the CWA.

i have configure same as shown in video but when give mac address and set action port bounce in Policy List -Endpoint Assignment and issue mac id and port bounce its says Radius Failure.

please help me

This is for wired and not wireless correct? When you check the RADIUS log, do you see failed dynamic authorization. If so, please check the CoA config on the switch and make sure ISE is added to the list with matching secret.

Poll

Vote for the Next Video Series