Threat Centric NAC Service
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the threat and vulnerability adapters.
Threat severity levels and vulnerability assessment results can be used to dynamically control the access level of an endpoint or a user.
You can configure the vulnerability and threat adapters to send high-fidelity Indications of Compromise (IoC), Threat Detected events, and CVSS scores to Cisco ISE, so that threat-centric access policies can be created to change the privilege and context of an endpoint accordingly.
Cisco ISE supports the following adapters:
-
SourceFire FireAMP
-
Cognitive Threat Analytics (CTA) adapter
-
Qualys
Note
Only the Qualys Enterprise Edition is currently supported for TC-NAC flows.
-
Rapid7 Nexpose
-
Tenable Security Center
When a threat event is detected for an endpoint, you can select the MAC address of the endpoint on the Compromised Endpoints window and apply an ANC policy, such as Quarantine. Cisco ISE triggers CoA for that endpoint and applies the corresponding ANC policy. If ANC policy is not available, Cisco ISE triggers CoA for that endpoint and applies the original authorization policy. You can use the Clear Threat and Vulnerabilities option on the Compromised Endpoints window to clear the threat and vulnerabilities associated with an endpoint (from Cisco ISE system database).
The following attributes are listed under the Threat dictionary:
-
CTA-Course_Of_Action (values can be Internal Blocking, Eradication, or Monitoring)
-
Qualys-CVSS_Base_Score
-
Qualys-CVSS_Temporal_Score
-
Rapid7 Nexpose-CVSS_Base_Score
-
Tenable Security Center-CVSS_Base_Score
-
Tenable Security Center-CVSS_Temporal_Score
The valid range is from 0 to 10 for both Base Score and Temporal Score attributes.
When a vulnerability event is received for an endpoint, Cisco ISE triggers CoA for that endpoint. However, CoA is not triggered when a threat event is received.
You can create an authorization policy by using the vulnerability attributes to automatically quarantine the vulnerable endpoints based on the attribute values. For example:
Any Identity Group & Threat:Qualys-CVSS_Base_Score > 7.0 -> Quarantine
To view the logs of an endpoint that is automatically quarantined during CoA events, choose
. To view the logs of an endpoint that is quarantined manually, choose .Note the following points while enabling the Threat Centric NAC service:
-
The Threat Centric NAC service requires a Cisco ISE Premier license.
-
Threat Centric NAC service can be enabled on only one node in a deployment.
-
You can add only one instance of an adapter per vendor for Vulnerability Assessment service. However, you can add multiple instances of FireAMP adapter.
-
You can stop and restart an adapter without losing its configuration. After configuring an adapter, you can stop the adapter at any point of time. The adapter would remain in this state even when the ISE services are restarted. Select the adapter and click Restart to start the adapter again.
Note
When an adapter is in Stopped state, you can edit only the name of the adapter instance; you cannot edit the adapter configuration or the advanced settings.
You can view the threat information for the endpoints on the following pages:
-
Home page > Threat dashboard
-
Context Visibility > Endpoints > Compromised Endpoints
The following alarms are triggered by the Threat Centric NAC service:
-
Adapter not reachable (syslog ID: 91002): Indicates that the adapter cannot be reached.
-
Adapter Connection Failed (syslog ID: 91018): Indicates that the adapter is reachable but the connection between the adapter and source server is down.
-
Adapter Stopped Due to Error (syslog ID: 91006): This alarm is triggered if the adapter is not in the desired state. If this alarm is displayed, check the adapter configuration and server connectivity. Refer to the adapter logs for more details.
-
Adapter Error (syslog ID: 91009): Indicates that the Qualys adapter is unable to establish a connection with or download information from the Qualys site.
The following reports are available for the Threat Centric NAC service:
-
Adapter Status: The Adapter Status report displays the status of the threat and vulnerability adapters.
-
COA Events: When a vulnerability event is received for an endpoint, Cisco ISE triggers CoA for that endpoint. The CoA Events report displays the status of these CoA events. It also displays the old and new authorization rules and the profile details for these endpoints.
-
Threat Events: The Threat Events report provides a list of all the threat events that Cisco ISE receives from the various adapters that you have configured. Vulnerability Assessment events are not included in this report.
-
Vulnerability Assessment: The Vulnerability Assessment report provides information about the assessments that are happening for your endpoints. You can view this report to check if the assessment is happening based on the configured policy.
You can view the following information from Operations > Reports > Diagnostics > ISE Counters > Threshold Counter Trends:
-
Total number of events received
-
Total number of threat events
-
Total number of vulnerability events
-
Total number of CoAs issued (to PSN)
The values for these attributes are collected every 5 minutes, so these values represent the count for the last 5 minutes.
The Threat dashboard contains the following dashlets:
-
Total Compromised Endpoints dashlet displays the total number of endpoints (both connected and disconnected endpoints) that are currently impacted on the network.
-
Compromised Endpoints Over Time dashlet displays a historical view of the impact on endpoints for the specified time period.
-
Top Threats dashlet displays the top threats based on the number of endpoints impacted and the severity of the threat.
-
You can use the Threats Watchlist dashlet to analyze the trend of selected events.
The size of the bubbles in the Top Threats dashlet indicates the number of endpoints impacted and the light shaded area indicates the number of disconnected endpoints. The color as well as the vertical scale indicate the severity of the threat. There are two categories of threat—Indicators and Incidents. The severity attribute for Indicator is "Likely_Impact" and the severity attribute for Incident is "Impact_Qualification".
The Compromised Endpoint window displays the matrix view of the endpoints that are impacted and the severity of the impact for each threat category. You can click on the device link to view the detailed threat information for an endpoint.
The Course Of Action chart displays the action taken (Internal Blocking, Eradication, or Monitoring) for the threat incidents based on the CTA-Course_Of_Action attribute received from the CTA adapter.
The Vulnerability dashboard on the Home page contains the following dashlets:
-
Total Vulnerable Endpoints dashlet displays the total number of endpoints that have a CVSS score greater than the specified value. Also displays the total number of connected and disconnected endpoints that have a CVSS score greater than the specified value.
-
Top Vulnerability dashlet displays the top vulnerabilities based on the number of endpoints impacted or the severity of the vulnerability. The size of the bubbles in the Top Vulnerability dashlet indicates the number of endpoints impacted and the light shaded area indicates the number of disconnected endpoints. The color as well as the vertical scale indicates the severity of the vulnerability.
-
You can use the Vulnerability Watchlist dashlet to analyze the trend of selected vulnerabilities over a period of time. Click the search icon in the dashlet and enter the vendor-specific id ("qid" for Qualys ID number) to select and view the trend for that particular ID number.
-
The Vulnerable Endpoints Over Time dashlet displays a historical view of the impact on endpoints over time.
The Endpoint Count By CVSS graph on the Vulnerable Endpoints window shows the number of endpoints that are affected and their CVSS scores. You can also view the list of affected endpoints on the Vulnerable Endpoints window. You can click the device link to view the detailed vulnerability information for each endpoint.
Threat Centric NAC service logs are included in the support bundle. Threat Centric NAC service logs are located at support/logs/TC-NAC/
![]() Note |
Cisco ISE does not support on-demand scanning with credentials on endpoints. |
Enable Threat Centric NAC Service
To configure vulnerability and threat adapters, you must first enable the Threat Centric NAC service. This service can be enabled on only one Policy Service Node in your deployment.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon ( |
Step 2 |
Check the check box next to the PSN on which you want to enable the Threat Centric NAC service and click Edit. |
Step 3 |
Check the Enable Threat Centric NAC Service check box. |
Step 4 |
Click Save. |
Add SourceFire FireAMP Adapter
Before you begin
-
You must have an account with SourceFire FireAMP.
-
You must deploy FireAMP clients on all endpoints.
-
You must enable Threat Centric NAC service on the deployment node (see Enable Threat Centric NAC Service).
-
FireAMP adapter uses SSL for REST API calls (to the AMP cloud) and AMQP to receive the events. It also supports the use of proxy. FireAMP adapter uses port 443 for communication.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon ( |
Step 2 |
Click Add. |
Step 3 |
Select AMP : Threat from the Vendor drop-down list. |
Step 4 |
Enter a name for the adapter instance. |
Step 5 |
Click Save. |
Step 6 |
Refresh the Vendor Instances listing window. You can configure the adapter only after the adapter status changes to Ready to Configure on the Vendor Instances listing window. |
Step 7 |
Click the Ready to configure link. |
Step 8 |
(Optional) If you have configured a SOCKS proxy server to route all the traffic, enter the hostname and the port number of the proxy server. |
Step 9 |
Select the cloud to which you want to connect. You can select US cloud or EU cloud. |
Step 10 |
Select the event source to which you want to subscribe. The following options are available:
|
Step 11 |
Click the FireAMP link and login as admin in FireAMP. Click Allow in the Applications pane to authorize the Streaming Event Export request. |
Step 12 |
Select the events (for example, suspicious download, connection to suspicious domain, executed malware, java compromise) that you want to monitor. When you change the advanced settings or reconfigure an adapter, if there are any new events added to the AMP cloud, those events are also listed in the Events Listing window. You can choose a log level for the adapter. The available options are: Error, Info, and Debug. The summary of the adapter instance configuration will be displayed in the Configuration Summary window. |
Configure Cognitive Threat Analytics Adapter
Before you begin
-
You must enable Threat Centric NAC service on the deployment node (see Enable Threat Centric NAC Service).
-
Log in to Cisco Cognitive Threat Analytics (CTA) portal and request CTA STIX/TAXII service. For more information, see Cisco ScanCenter Administrator Guide.
-
Cognitive Threat Analytics (CTA) adapter uses TAXII protocol with SSL to poll the CTA cloud for detected threats. It also supports the use of proxy.
-
Import the adapter certificate in to the Trusted Certificate Store. Choose Administration > System > Certificates > Trusted Certificates > Import to import the certificate.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon ( |
Step 2 |
Click Add. |
Step 3 |
Select CTA : Threat from the Vendor drop-down list. |
Step 4 |
Enter a name for the adapter instance. |
Step 5 |
Click Save. |
Step 6 |
Refresh the Vendor Instances listing page. You can configure the adapter only after the adapter status changes to Ready to Configure on the Vendor Instances listing page. |
Step 7 |
Click the Ready to configure link. |
Step 8 |
Enter the following details:
|
Step 9 |
Click Next. |
Step 10 |
Click Advanced Settings to configure the following options:
|
Step 11 |
Click Finish. |
![]() Note |
CTA works with user identities listed in the web proxy logs as IP addresses or usernames. Specifically, in the case of IP addresses, the IP address of a device that is available through the proxy logs may collide with the IP address of another device on the internal network. For example, roaming users connected via AnyConnect and a split-tunnel directly to the internet could acquire a local IP range address (for example, 10.0.0.X address), which may collide with an address in an overlapping private IP range used in an internal network. We recommend that you take into account the logical network architecture while defining the policies to avoid quarantine actions being applied on mismatched devices. |
Configure Authorization Profiles for CTA Adapter
For each threat event, the CTA adapter returns one of the following values for the Course of Action attribute: Internal Blocking, Monitoring, or Eradication. You can create authorization profiles based on these values.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon ( |
Step 2 |
Click Add. |
Step 3 |
Enter a name and description for the authorization profile. |
Step 4 |
Select the Access Type. |
Step 5 |
Enter the required details and click Submit. |
Configure Authorization Policy using the Course of Action Attribute
You can use the CTA-Course_Of_Action attribute to configure authorization policies for the endpoints for which threat events are reported. This attribute is available in the Threat directory.
You can also create exception rules based on the CTA-Course_Of_Action attribute.
Procedure
Step 1 |
Choose Policy > Policy Sets |
||
Step 2 |
Create a condition to check for the CTA-Course_Of_Action attribute value and assign the appropriate authorization profile. For example: Network_Access_Authentication_Passed AND ThreatCTA-Course_Of_Action CONTAINS Internal Blocking then blocking (authorization profile)
|
||
Step 3 |
Click Save. |
![]() Note |
Sometimes CTA sends multiple risks and their associated Course of Action attributes in one incident. For example, it can send "Internal Blocking" and "Monitoring" (course of action attributes) in one incident. In this case, if you have configured an authorization policy to quarantine endpoints using "equals" operator, the endpoints will not be quarantined. For example:
In such cases, you must use "contains" operator in the authorization policy to quarantine the endpoints. For example:
|