Day 80 – Cisco ISE Mastery Training: Threat-Centric NAC Overview

[Day 80] Cisco ISE Mastery Training: Threat-Centric NAC Overview

Post Views: 6

Introduction

Cisco’s Threat-Centric NAC (TC-NAC) takes network access control beyond authentication and authorization.
It integrates real-time threat intelligence from Cisco ecosystem tools (Firepower, AMP for Endpoints, Cisco SecureX, Talos, Stealthwatch) into Cisco ISE.

Why this matters:

  • A user can be authenticated and authorized normally, but later infected by malware.
  • Traditional NAC can’t react after initial access.
  • TC-NAC enables dynamic session enforcement → Quarantine, block, or restrict the endpoint when it’s flagged as compromised.

This shifts ISE from identity-based NAC to threat-driven adaptive NAC.

Problem Statement

The Challenge:

  • NAC grants access at login but has no visibility into post-admission compromise.
  • Attackers often bypass traditional NAC by infecting trusted devices after authentication.
  • Security teams need:
    • Automated detection of compromised endpoints.
    • Integration between threat detection tools and NAC enforcement.
    • Real-time policy updates without manual intervention.

Without TC-NAC:

  • Malware spreads laterally.
  • SOC teams rely on manual incident response.
  • Networks lack adaptive defense.

Solution Overview

Cisco ISE + TC-NAC Approach:

  • Uses pxGrid (Platform Exchange Grid) to integrate with Cisco Threat Intelligence feeds.
  • Security partners (Firepower, AMP, Talos, Stealthwatch, SecureX) send threat events to ISE.
  • ISE updates endpoint Security Group Tags (SGTs) or Posture Status.
  • Network devices enforce policy via SGACLs, VLAN change, dACLs, or quarantine VLAN.

Result:

  • Endpoint compromised → flagged in Firepower/Talos → pxGrid → ISE session updated → switch/WLC enforces block/quarantine in real-time.

Sample Lab Topology

Lab Components (VMware/EVE-NG)

  • ISE 3.x (PAN + PSN roles)
  • WLC 9800 for wireless endpoints
  • Catalyst 9300 switch for wired integration
  • Firepower Management Center (FMC) + Firepower NGFW
  • AMP for Endpoints / SecureX
  • Endpoints: Windows 10 client + Ubuntu IoT device

Diagram:

Step-by-Step GUI + CLI Configuration Guide

Step 1 – Enable pxGrid on ISE

  1. Navigate to Administration > pxGrid Services.
  2. Enable pxGrid Node.
    • Check “Enable”
    • Select certificate for pxGrid.
    • Click Save.
      [Screenshot: ISE pxGrid Services]

Step 2 – Register Firepower/AMP with ISE

  1. On Firepower FMC:
    • Go to Integration > Identity Sources > pxGrid.
    • Add ISE hostname/IP.
    • Upload ISE pxGrid certificate.
    • Test connectivity.
      [Screenshot: FMC pxGrid Integration]
  2. On ISE:
    • Approve the Firepower pxGrid client under pxGrid Clients.
      [Screenshot: pxGrid Client Approval]

Step 3 – Create Adaptive Network Policy in ISE

  1. Navigate to Policy > Policy Sets > Authorization Policy.
  2. Add Rule:
    • Condition: Endpoint Threat = High (received via pxGrid).
    • Result: Quarantine VLAN 150 OR Apply dACL - DenyAll.
      [Screenshot: ISE Authorization Rule – Quarantine]

Step 4 – Configure Threat Feed Conditions

  1. Navigate to Policy > Profiling > Conditions.
  2. Add Condition:
    • Attribute: pxGrid ThreatCategory.
    • Operator: equals.
    • Value: Malware.
      [Screenshot: ISE Threat Condition Setup]

Step 5 – Switch/WLC Enforcement

On Catalyst Switch:

conf t
cts role-based enforcement
cts authorization list ise-auth
aaa authorization network ise-auth group radius

On WLC 9800:

radius server ISE
  address ipv4 10.1.1.10 auth-port 1812 acct-port 1813
  key Cisco123
aaa authorization network default group radius

Step 6 – Validation

GUI Validation

  1. Go to Operations > Live Sessions.
  2. Select endpoint.
  3. Verify: Session shows Threat = High and Quarantine Policy applied.
    [Screenshot: ISE Live Session – Quarantined Endpoint]

CLI Validation
On Switch:

show cts role-based session
show authentication sessions interface Gi1/0/2

On WLC:

show wireless client mac <mac-address> detail

You should see:

  • SGT updated or dACL applied.
  • VLAN change if configured.

FAQs

1. Q: What licenses are required to enable Threat-Centric NAC in Cisco ISE?
A: At minimum, you need the Plus License (for pxGrid and integrations). The Base License covers identity and auth, but TC-NAC requires pxGrid-based threat feed subscriptions, which fall under Plus. If you add posture/remediation, you also need the Apex license.

2. Q: How does ISE know an endpoint is compromised?
A: ISE itself doesn’t do malware analysis. Instead, it subscribes to external threat intelligence feeds (e.g., Firepower, AMP, Talos, Stealthwatch) via pxGrid. When those tools detect a compromise, they push the threat context into ISE, which updates the endpoint’s session state.

3. Q: What enforcement options does ISE support when a threat is detected?
A: Enforcement is flexible:

  • Quarantine VLAN → reassign endpoint to remediation VLAN.
  • Downloadable ACL (dACL) → block/allow only specific traffic.
  • SGACLs with SGT reassignment → dynamic segmentation-based restrictions.
  • Full block/port shut (last resort).

4. Q: Can Threat-Centric NAC apply different actions based on severity?
A: Yes. ISE can consume threat severity levels (Low, Medium, High, Critical) from pxGrid. You can build Authorization Policy rules such as:

  • Low → allow with monitoring.
  • Medium → apply restricted ACL.
  • High → move to quarantine VLAN.
  • Critical → deny all access.

5. Q: How quickly does ISE enforce a policy after a threat is detected?
A: In most cases, under 10–15 seconds. The flow is: Threat detected → Partner publishes event → pxGrid notifies ISE → ISE reevaluates session → switch/WLC enforces updated authorization.

6. Q: What happens if the endpoint is cleared by the threat intelligence source?
A: The same integration works in reverse. When Firepower/AMP marks the endpoint as “clean”, pxGrid notifies ISE → session gets re-evaluated → endpoint is restored to its original authorization (normal VLAN/ACL). This is called automatic remediation.

7. Q: Can Threat-Centric NAC work in distributed ISE deployments?
A: Yes. pxGrid is cluster-aware. You can enable pxGrid on one or more nodes. Threat events published on one node replicate to all PSNs in the deployment, ensuring consistent policy enforcement across the network.

8. Q: What’s the best way to validate TC-NAC is working in a lab?
A:

  1. Connect endpoint to switch/WLC and verify normal access.
  2. Simulate threat detection in Firepower (e.g., flag host with malware signature).
  3. Check ISE Live Sessions → endpoint status should change to “Threat High” with new policy.
  4. On switch: show authentication sessions interface Gi1/0/2 show cts role-based session Verify VLAN change, dACL, or SGT applied.

9. Q: What troubleshooting steps should I take if pxGrid events are not received by ISE?
A:

  • On ISE:
    • Check pxGrid service: show application status ise.
    • Review logs: show logging application pxgrid.log tail.
  • On FMC/AMP: Ensure pxGrid certificate trust is established.
  • In GUI: Confirm pxGrid Client is “Approved” in ISE.

10. Q: Can non-Cisco tools integrate with Threat-Centric NAC?
A: Yes. Any security product that supports pxGrid API can publish threat events to ISE. Examples: IBM QRadar, Splunk, McAfee ePO. They integrate via pxGrid SDK, and ISE enforces policy the same way.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes

  • Threat-Centric NAC makes access policies dynamic → not just “who you are” but “are you safe right now.”
  • Integration via pxGrid is the backbone.
  • Testing and validation are crucial: always verify Live Sessions, switch/WLC session state, and pxGrid logs.

Upgrade Your Skills – Start Today

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes.

I run a focused 4-month Fast-Track Cisco ISE Mastery Pro (part of CCIE Security program).

  • Live labs (wired, wireless, pxGrid, Threat-Centric NAC).
  • Workbook + Recording Access.
  • Direct mentorship to clear your doubts.

Check course outline here: https://course.networkjourney.com/ccie-security/

Take the fast-track route – don’t just learn configs, master real-world NAC deployments!

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088

Trainer Sagar Dhawan
Hi all, Good to see you here. I'm your Trainer for CCIE, CCNP, CCNA, Firewall batches and many more courses coming up! Stay tuned for latest updates! Keep me posted over Whatsapp/Email about your experience learning from us. Thanks for being part of - "Network Journey - A journey towards packet-life!!!"

Related Posts

Day 13 – Cisco ISE Mastery Training: Configuring Device Admin via TACACS+

[Day 13] Cisco ISE Mastery Training: Configuring Device Admin via TACACS+

  • Posted on
    • Day 51 – Cisco ISE Mastery Training: Wireless DACL Assignments

    [Day 51] Cisco ISE Mastery Training: Wireless DACL Assignments

  • Posted on
    • Day 75 – Cisco ISE Mastery Training: Applying TrustSec in Wired Networks

    [Day 75] Cisco ISE Mastery Training: Applying TrustSec in Wired Networks

  • Posted on