Cisco ISE has several capabilities to manage endpoints with one of them being the ANC (Adaptive Network Control). By using ANC, an administrator can Quarantine, Shutdown, or Port Bounce an offending host (for example, malware, APT, viruses, or vulnerabilities). With beSECURE, Cisco ISE can impose a Quarantine on a host with specified number of high-risk vulnerabilities or whose overall Score (security posture) is below a certain value.
Configuring Cisco ISE to integrate with beSECURE
To integrate Cisco ISE with beSECURE, you must enable ERS (Endpoint RESTful Service), create a dedicated beSECURE user (or assign an existing administrator), and create an Active Network Control (ANC) policy in Cisco ISE.
To enable ERS, do the following:
- Connect to Cisco ISE.
- Select Administration > System > Settings > ERS Settings.
- Select Enable ERS for Read/Write.
To create a dedicated beSECURE user, do the following:
Note: You can also use an existing administrator for this purpose.
- Select Administration > System > Admin Access.
- In the left side menu, select Administrators > Admin Users.
- Select Add > Create an Admin User.
- On the New Administratorpage, do the following:
- In the Name box, enter beSECURE.
- In the Password boxes, enter a password.
- For Admin Groups, select ERS Admin.
- Select Submit.
To create an ANC policy, do the following:
- Select Operations > Adaptive Network Control > Policy List.
- Select Add.
- In the Name box, enter beSECURE.
- In the Action box, add Quarantine.
- Select Submit.
Configuring beSECURE to integrate with Cisco ISE
To integrate beSECURE with Cisco ISE, do the following:
- Log in to beSECURE.
- Select More > Server > Integration.
- Select Cisco ISE.
- Enter your Cisco ISE URL, Username, Password, and beSECURE ANC Policy in the boxes provided.
- For Triggering Criteria, enter the number of High-risk vulnerabilities and/or host score values, based on your needs. Whenever a scan completes, the results of the scan are analyzed to determine whether a Cisco ISE should be altered because a host is exceeding the allowed number of High-risk vulnerabilities or has a score below or equal to the provided values. This example uses 5 and 25, but you can use one or both options.
- Select Save.
Viewing active policies in Cisco ISE
To view Policies that are currently active (and remove them if needed), do the following:
- Select Operations > Adaptive Network Control > Endpoint Assignment.
- Select the host you want to unquarantined and then delete it by either selecting Trash or EPS unquarantine, and then entering the IP address or MAC address of the endpoint.