SEC0223 - ISE 2.0 Adaptive Network Control (ANC) (Part 1)

The video looks at Adaptive Network Control (ANC) feature on Cisco ISE 2.0 and how it can be used to quarantine endpoint devices similarly to its legacy feature called Endpoint Protection Service (EPS). This lab exercise includes creating and testing ANC policies with various type of actions. At the end, we will demonstrate the use of SGT with ANC to leverage SGACL to limit quarantined device network access.

• Adaptive Network Control (ANC)
• ANC Policy
  • Quarantine
  • Remediate
  • Shutdown
  • Port Bounce
  • Provisioning

  About Author

  

  Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

  • Log in or register to post comments

  21 comments

  Submitted by TOGE on Sat, 07/30/2016 - 01:25

  1) ANC and pxGrid. 2) Match VLAN

  1) When i'm trying to activate ANC, it asks me to activate pxGrid first.
  I see that just enabling it under Administration/Deplyment isn't enough, so do i have to fully configure pxGrid (Integrate with AD) in order to activate ANC ?

  2) Also i want to know, if there is any way to somehow match traffic from specific VLAN (Like for Wireless, where you match incoming traffic only from specific SSID by using "called-station-ID" radius attribute)

  I tried this options to match traffic from VLAN 21 (Under Conditions) but its not working as expected:

  Tunnel-Private-Group-ID = 1:21
  Tunnel-Type = 1:13
  Tunnel-Medium-Type = 1:6

  My Goal is to do something like that:
  Push Redirect-ACL and redirect traffic to Guest Portal, only if traffic is coming from Guest VLAN.

  • Log in or register to post comments
  Submitted by admin on Mon, 08/01/2016 - 20:19

  1) ANC and pxGrid. 2) Match VLAN

  1) We do not recall having to enable pxGrid as a prerequisite to ANC. You should be able to create ANC policy and use them under Authorization policy.

  2) You can look at the detail of authentication request ISE receive from the switch and see which RADIUS attributes are sent to ISE. We do not recall VLAN ID being one of them. If it is not there, you might not be able to do what to want. Any reason why you can't have all interfaces start in Guest VLAN and have ISE return redirect ACL for MAB, and production VLAN for .1x etc.

  • Log in or register to post comments
  Submitted by TOGE on Wed, 08/03/2016 - 00:27

  1) ANC and pxGrid

  I'm really stuck in here.

  When I'm trying to configure ANC policies under Operations/ANC/Policy List, I'm getting error:
  "Enable pxGrid before performing ANC operations"

  pxGrid is enabled under Administration/System/Deployment but when i checked it from CLI (show application status ise), it gives me this result:

  pxGrid Infrastructure Service initializing
  pxGrid Publisher Subscriber Service initializing
  pxGrid Connection Manager initializing
  pxGrid Controller initializing

  Under Administration/pxGrid Services, it says "No connectivity to pxGrid node"

  So, is it mandatory to have separate ISE node for pxGrid ? Can't i just activate it on STANDALONE mode ?

  • Log in or register to post comments