Adaptive Network Control Policy Guidelines
Adaptive Network Control (ANC) is a service that runs on the Cisco ISE Policy Administration Node (PAN) that you can use to monitor and control network access for endpoints. ANC supports wired and wireless deployments.
You can invoke ANC actions on endpoints using APIs or scripts.
The following scripts are available:
Quarantine authenticated 802.1X endpoint
Unquarantine (clear) the endpoint
Provide a list of endpoints, based on triggered ANC policy
Subscribe to ANC capability to receive remediation and provisioning notices
ANC Endpoint and ANC Policy are documented in the Cisco ISE API Reference Guide.
https://developer.cisco.com/docs/identity-services-engine/v1/ancendpoint/
https://developer.cisco.com/docs/identity-services-engine/v1/ancpolicy/
The following actions are available:
QUARANTIINE: Disconnects the target client (after which it may reconnect)
RE_AUTHENTICATE: Forces the target client to do Re-Authentication, optionally implement an updated policy. This requires pxGrid 2.0.
SHUTDOWN: For a wired device, shutdown the port of the device, preventing reconnection.
The discovery ports listed in the following table are used to determine what device is present.
| Port number | Port assignment |
|---|---|
| 4 | Closed Port |
| 21 | FTP |
| 22 | SSH |
| 23 | telnet |
| 80 | HTTP |
| 135 | Windows RPC |
| 161 | SNMP |
| 443 | HTTPS |
| 513 | rlogin |
| 902 | VMware Authentication Daemon |
| 3940 | Discovery for z/OS Agent |
| 5985 | PowerShell HTTP |
| 5986 | PowerShell HTTPS |
| 5988 | WBEM HTTP |
| 5989 | WBEM HTTPS |
| Source | Default Port | Protocol | Directionality | Reason |
|---|---|---|---|---|
| Main Appliance (MA) | 389 (TCP/UDP) | LDAP | MA to targets | Active Directory Sync |
| Remote Collector(s) RC | 53 (TCP) | DNS | Device to targets | DNS Zone Discovery |
| Remote Collector(s) RC | 623 (UDP) | IPMI | RC to targets | IPMI-based discovery of management interfaces |
| Remote Collector(s) RC | 22 (TCP) | SSH | RC to targets | SSH-based discovery of Linux and Unix systems |
| Remote Collector(s) RC | 161 (UDP) | SNMP | RC to targets | SNMP discovery of network equipment |
Introduction
This document describes Configuration of Rapid Threat Containment (Adaptive Network Control) on Cisco ISE® version 3.3 and Stealthwatch.
Prerequisites
Cisco recommends knowledge in these topics:
Identity Services Engine (ISE)
Platform Exchange Grid (PxGrid)
Secure Network Analytics (Stealthwatch)
Rapid Threat Containment (Adaptive Network Control - ANC).
In this document it is assumed that the Cisco Identity Services Engine is integrated with Secure Network Analytics (Stealthwatch) using pxGrid that is ANC-enabled.
Components Used
The information in this document is based on these software and versions:
Cisco Identity Services Engine (ISE) version 3.3
Secure Network Analytics (Stealthwatch) 7.5.1
Catalyst 9300
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Live instant demo
Try it yourself. Learn how to detect and neutralize threats in our live environment.
