05-16-2018 10:21 PM - edited 02-21-2020 10:56 AM
I was considering the Rapid Threat Containment, by integrating ISE with Firepower. My understanding is that the quarantining action will apply on the current session. So if the user disconnect and connect again, its a new session that will be processed normally. So is there a way to make this permanent for example to add this Endpoint (MAC) to the blacklist Identity Group but is there a way to automatically add an Endpoint to the Blacklist Group.
Note that i am not talking about BYOD, so my device portal is not an option.
05-18-2018 02:44 AM
You should be able to use endpoint profiling.
"The profiling service identifies each endpoint on your network, and groups those endpoints according to their profiles to an existing endpoint identity group in the system, or to a new group that you can create in the system."
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_010101.pdf
HTH
Bogdan
05-19-2018 09:00 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide