This document describes how to configure Firepower 6.1 pxGrid remediation with ISE. Firepower 6.1+ ISE Remediation module can be used with ISE Adaptive Network Control (ANC) to automate qurantine / blacklisting of attackers on the network access layer.
Contributed by Valerii Palkin, Cisco TAC Engineer.
Cisco recommends that you have basic knowledge of these topics:
Cisco Identity Service Engine
The information this document is based on these software and hardware versions:
Cisco Identity Service Engine version 2.0 Patch 4
Cisco Firepower 6.1.0
Virtual Wireless LAN Controller (vWLC) 220.127.116.11
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This article does not cover initial configuration of ISE integration with Firepower, ISE integration with Active Directory (AD), Firepower integration with AD. For this information please navigate to references section. Firepower 6.1 Remediation module allows Firepower system to use ISE ANC capabilities (quarantine, unquarantine, port shutdown) as a remediation when correlation rule is matched.
Note: port shutdown is not available for wireless deployments
The flow description:
A client connects to a network, authenticates with ISE and hits an authorization rule with an authorization profile which grants unrestricted access to the network
Traffic from the client then flows through a Firepower device
User starts to perform a malicious activity and hits a correlation rule which in turn triggers Firepower Management Center (FMC) to do ISE remediation via pxGrid
ISE assigns a EPSStatus Quarantine to the endpoint and triggers RADIUS Change of Authorization to a network access device (WLC or Switch)
The client hits another authorization policy which assigns a restricted access (changes SGT or redirects to portal or denies access)
Note: Network Access Device (NAD) should be configured to send RADIUS Accounting to ISE in order to provide it with ip address information which is used to map ip address to an endpoint
Step 1. Configure a pxGrid Mitigation Instance
Navigate to Policies > Actions > Instances and add pxGrid Mitigation Instance
Step 2. Configure a Remediation
There are two types available: Mitigate Destination and Mitigate Source. In this example Source mitigation is used. Choose remediation type and click Add
Assign Mitigation Action to the Remediation:
Step 3. Configure a Correlation rule
Navigate to Policies > Correlation > Rule Management and click Create Rule Correlation rule is the trigger for the remediation to happen. Correlation rule can contain several conditions. In this example Correlation Rule PingDC is hit if intrusion event occurs and destination ip address is 192.168.0.121. Custom intrusion rule matching icmp echo reply is configured for the purpose of the test.
Step 4. Configure a Correlation policy
Navigate to Policies > Correlation > Policy Management and click Create Policy, add rule to the policy and assign response to it
Enable the correlation policy
Step 1. Configure Adaptive Network Control (ANC) Policy List
Navigate to Operations > Adaptive Network Control > Policy List and click Add than assign ANC Action to the policy
Step 2. Configure Authorization Policy
Navigate to Policy > Authorization and add a new authorization policy which will be hit after Remediation takes place. Use Session: EPSStatus EQUALS Quarantine as the condition. There are several options which can be used as a result:
Permit Access and assign Different SGT (enforce access control restriction on network devices)
Deny Access (user should be kicked out of the network and should not be able to connect again)
Redirect to a blacklist portal (in this scenario custom hotspot portal is configured for this purpose
Custom portal configuration
Step 2. Create a hotspot portal
Navigate to Guest Access > Configure > Guest Portals and click Create, then choose Hotspot type
Step 3. Configure Portal Customization
Navigate to Portal Page Customization and change titles and content to provide an appropriate warning to the user
Scroll to Option Content 2, click Toggle HTML Source, and paste the script inside:
Use the information that is provided in this section in order to verify that your configuration works properly.
Trigger for the remediation to happen is a hit of correlation policy / rule. Navigate to Analysis > Correlation > Correlation Events and verify that correlation event happened
ISE should then trigger Radius: CoA and re-authenticate the user, this events can be verified in Operation > RADIUS Livelog
In this example, ISE assigned different SGT MaliciousUser to the endpoint. In the case of Deny Access authorization profile the user loses wireless connection and is not able to connect again.
The remediation with blacklist portal. If remediation authorization rule is configured to redirect to the portal, it should look like this from the attacker perspective:
Navigate to Analysis > Correlation > Status:
Result message should return either Successful completion of remediation either particular error message. Verify syslog: System > Monitoring > Syslog and filter output with pxgrid. The same logs can be verified in /var/log/messages.