You are here
SEC0223 - ISE 2.0 Adaptive Network Control (ANC) (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video looks at Adaptive Network Control (ANC) feature on Cisco ISE 2.0 and how it can be used to quarantine endpoint devices similarly to its legacy feature called Endpoint Protection Service (EPS). This lab exercise includes creating and testing ANC policies with various type of actions. At the end, we will demonstrate the use of SGT with ANC to leverage SGACL to limit quarantined device network access.
Part 1 of this video covers ANC policies creation and testing
Topic:
- Adaptive Network Control (ANC)
-
ANC Policy
- Quarantine
- Remediate
- Shutdown
- Port Bounce
- Provisioning
- Security Group Tag (SGT) with ANC
- Endpoint Protection Services (EPS)
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
21 comments
1) ANC and pxGrid. 2) Match VLAN
1) When i'm trying to activate ANC, it asks me to activate pxGrid first.
I see that just enabling it under Administration/Deplyment isn't enough, so do i have to fully configure pxGrid (Integrate with AD) in order to activate ANC ?
2) Also i want to know, if there is any way to somehow match traffic from specific VLAN (Like for Wireless, where you match incoming traffic only from specific SSID by using "called-station-ID" radius attribute)
I tried this options to match traffic from VLAN 21 (Under Conditions) but its not working as expected:
Tunnel-Private-Group-ID = 1:21
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
My Goal is to do something like that:
Push Redirect-ACL and redirect traffic to Guest Portal, only if traffic is coming from Guest VLAN.
1) ANC and pxGrid. 2) Match VLAN
1) We do not recall having to enable pxGrid as a prerequisite to ANC. You should be able to create ANC policy and use them under Authorization policy.
2) You can look at the detail of authentication request ISE receive from the switch and see which RADIUS attributes are sent to ISE. We do not recall VLAN ID being one of them. If it is not there, you might not be able to do what to want. Any reason why you can't have all interfaces start in Guest VLAN and have ISE return redirect ACL for MAB, and production VLAN for .1x etc.
1) ANC and pxGrid
I'm really stuck in here.
When I'm trying to configure ANC policies under Operations/ANC/Policy List, I'm getting error:
"Enable pxGrid before performing ANC operations"
pxGrid is enabled under Administration/System/Deployment but when i checked it from CLI (show application status ise), it gives me this result:
pxGrid Infrastructure Service initializing
pxGrid Publisher Subscriber Service initializing
pxGrid Connection Manager initializing
pxGrid Controller initializing
Under Administration/pxGrid Services, it says "No connectivity to pxGrid node"
So, is it mandatory to have separate ISE node for pxGrid ? Can't i just activate it on STANDALONE mode ?
1) ANC and pxGrid
As you can see on our videos, we are running a single standalone mode and able to run both ANC and pxGrid just fine. What version of ISE and patch number are you trying this on? Is this a lab or production?
1) ANC and pxGrid
The Version is 2.0, Patch 3.
Not production, but some services are being tested on production users.
I don't really need pxGrid and ANC, i just want to understand why i cant make it work.
Maybe one day ill try to add one more VM machine and configure it as pxGrid node. This is my last hope.
1) ANC and pxGrid
You can try to set up a lab and see if it works. Do a fresh install and configure ANC. Try without a patch first and if it works, apply patch and try again.
ANC Vs PAP ASCII
Hi,
when i enabled the ANC as per video step by step , adding exception matching policy i have created ,
i faced very strange issue , i am having authorization rule that is matching PAP ASCII traffic for admin users and the result is a profile that gives that user privilege x , after creating the exception policy , all the admins no longer able to access the devices using the aaa radius account , and only works again after i disable the exception rule , any ideas
BR
ANC Vs PAP ASCII
Are you using RADIUS device admin? Can you provide authorization condition for both exception rule and the regular rule down below?
ANC Vs PAP ASCII
yes i am using RADIUS for the network devices , as for the exception policy , i did the exact one as per video , matching ANC policy name and then the result to deny all ,
and the rule that get effects matches only users Group and result to grant them priv level 15
each time i enable the exception policy , the Radius Users no longer able to access the network devices
thanks in advance for your feedback
BR
ANC Vs PAP ASCII
Interesting. Nothing should match the ANC exception rule unless the endpoint MAC address is added to the ANC policy. Does it affect everyone or certain user? What ISE version and patch are you running? If you review RADIUS detail log, does it indicate the endpoint is under an ANC policy?
ANC Vs PAP ASCII
i am running ver 2.0 , the rule does affect all the users in the admin groups , and those who gets denied have different MAC addresses than the ones on the Policy
ANC Vs PAP ASCII
This could be a bug then. You might want to check with Cisco on this one. You might also want consider creating a separate Policy Set just for RADIUS device admin.
ANC Vs PAP ASCII
Hi ,
it worked with the old fashion , that i had configured exception based on EPS flow equal quarantine
but now , but i faced another issue that the remote users at the branches when try to quarantine one of them , it does not work !!
any Ideas
BR
ANC Vs PAP ASCII
So with EPS, you add MAC address to EPS group correct? When you said it did not work for the branch, did it not match the EPS policy and just went through to the auth policies underneath? If so, check RADIUS detail log or endpoint detail and look for the endpoint EPS status.
ANC Vs PAP ASCII
facing same issue with ISE2.2 , are you able to get any solutions ?
ANC Vs PAP ASCII
the problem now is i still need to apply using ANC policy as i will use PX-grid integration , i need to find a solution for the PAP ASCII issue
what do you think
ANC Vs PAP ASCII
Most pxGrid integration used for quarantine today like Firepower and Stealthwatch still use EPs and not ANC. Not saying problem ANC shouldn't be fixed. Something is definitely not working correctly there. You may want to reach out to TAC to get to the root of problem. Worst case, you can also try to separate .1x and Device Admin to two separate Policy Set so they won't interfere with each other.
Central Web Authentication
Hi, Can we use Central Web Authentication for Wire connect or it only working for wireless connect ?
Central Web Authentication
Absolutely. As long as you configure the switch properly and send redirect URL from ISE, user should be redirected to the CWA.
ANC with mac not working
i have configure same as shown in video but when give mac address and set action port bounce in Policy List -Endpoint Assignment and issue mac id and port bounce its says Radius Failure.
please help me
ANC with mac not working
This is for wired and not wireless correct? When you check the RADIUS log, do you see failed dynamic authorization. If so, please check the CoA config on the switch and make sure ISE is added to the list with matching secret.