Solved: Re: UnQuarantine Option not seen in Session: EPS status in AuthZ policy

netquestfun · ‎10-22-2017

Hi Expertz,

I want to configure an exceptional Authz policy to unquarantine hosts when ISE recieves an unquarantine request from StealthWatch or Firepower. But i dont see Unquarantine option under Session: EPS status in Authz Policy. However, i could see quarantine option but not unquarantine option. Pls suggest.

Thanks,

Raj

hslai · ‎10-22-2017

The attribute on the left-hand-side of the condition is Session:EPSStatus and the available value on the right-hand-side is Quarantine. We usually put it as an exception for authorization policy as Session:EPSStatus EQUALS Quarantine, such that an quarantined endpoint will hit the exception rule while anything else will not match the exception rule so the regular authorization policy rules will apply.

In case you has a valid reason to have a rule when an endpoint not in quarantine (unquaratine), then you may use

Session:EPSStatus NOT_EQUALS Quarantine

View solution in original post

hslai · ‎10-22-2017

The attribute on the left-hand-side of the condition is Session:EPSStatus and the available value on the right-hand-side is Quarantine. We usually put it as an exception for authorization policy as Session:EPSStatus EQUALS Quarantine, such that an quarantined endpoint will hit the exception rule while anything else will not match the exception rule so the regular authorization policy rules will apply.

In case you has a valid reason to have a rule when an endpoint not in quarantine (unquaratine), then you may use

Session:EPSStatus NOT_EQUALS Quarantine

netquestfun · ‎10-22-2017

Hi Thanks.

As per your suggestion, "Session: EPSStatus NOT_EQUALS Quarantine" condition can be anything other than quarantine right? Then, ISE would primarily fetch this rule always when EPS status is not equal to quarantine.

hslai · ‎10-23-2017

That is correct. ISE evaluates the exception rules before the regular authorization policy rules.

netquestfun · ‎10-24-2017

Ok. After configuring the Global exceptions rules (Quarantine & Unquarantine), ISE is successfully hitting these respective rule when it recieves quarantine & unquarantine request from my StealthWatch.

But the problem is, in the radius live logs, every time the traffic is still hitting unquarantine rule by default even after physical port bounce in the switch. Only when i disable unquarantine rule the traffic by-passes it and hits wired dot1x rule.

hslai · ‎10-24-2017

I do not think you really needing an unQuarantine policy rule in the exception. ISE authorization policy is top-down and first-match so only the Quarantine policy rule is required and we should simply use the non-except rules to handle unQuarantine cases.

netquestfun · ‎10-24-2017

Got the point. But still need more visibility on how to write a reverse rule for quarantine rule. My requirement is ISE should hit quarantine & unquarantine rules show up logs in radius live logs when it recieves qurantine & unquarantine requests from StealthWatch.

If my stealthwatch sends quarantine request, ISE matches the Session: EPS status equal to quarantine and respective authZ quarantine profile is returned and seen as quarantined in live logs. But now if my stealth sends unquarantine request to ISE for the same endpoint, which rule should this unquarantine request hit in ISE? - If it should hit Session: EPS Not_equal to quarantine rule, then where should this rule be written. And more over (Session: EPS status not equal to quarantine) rule can cause ISE to hit any other rule other than (Session: EPS status equal to quarantine) rule right...? In other words, this rule means any other rule other than (Session: EPS status equal to quarantine) rule right ? hope you got my question.