pxGrid ANC Commands

Overview

Adaptive Network Control (ANC) enables dynamic endpoint quarantine and policy enforcement. These commands use pxGrid’s ANC service for real-time operations.

Commands

anc-policies

List all configured ANC policies.

netapi ise pxgrid anc-policies

Output:

╭────────────────────────────────────────────────╮
│                  ANC Policies                  │
├─────────────────────────┬──────────────────────┤
│ Name                    │ Actions              │
├─────────────────────────┼──────────────────────┤
│ Quarantine              │ QUARANTINE           │
│ Shutdown                │ SHUT_DOWN            │
│ PortBounce              │ PORT_BOUNCE          │
│ Investigate             │ QUARANTINE           │
╰─────────────────────────┴──────────────────────╯

anc-endpoints

List endpoints with ANC policies applied.

netapi ise pxgrid anc-endpoints

Output:

╭──────────────────────────────────────────────────╮
│                 ANC Endpoints                    │
├───────────────────┬──────────────────────────────┤
│ MAC               │ Policy                       │
├───────────────────┼──────────────────────────────┤
│ C8:5B:76:C6:59:62 │ Quarantine                   │
│ 70:15:FB:F8:47:EC │ Investigate                  │
╰───────────────────┴──────────────────────────────╯

apply-anc

Apply an ANC policy to an endpoint.

netapi ise pxgrid apply-anc <MAC> <POLICY>

Example:

# Quarantine a suspicious device
netapi ise pxgrid apply-anc C8:5B:76:C6:59:62 Quarantine

Output:

Applied ANC policy 'Quarantine' to C8:5B:76:C6:59:62

clear-anc

Remove ANC policy from an endpoint.

netapi ise pxgrid clear-anc <MAC>

Example:

# Release from quarantine
netapi ise pxgrid clear-anc C8:5B:76:C6:59:62

Output:

Cleared ANC policy from C8:5B:76:C6:59:62

ANC Actions

Action Effect

QUARANTINE

Apply quarantine dACL, restrict access

SHUT_DOWN

Disable switch port

PORT_BOUNCE

Bounce port to force re-authentication

RE_AUTHENTICATE

Trigger CoA re-authentication

Operational Workflows

Incident Response

#!/bin/bash
# incident-quarantine.sh <MAC> <REASON>

MAC="${1:?Usage: incident-quarantine.sh <MAC> <REASON>}"
REASON="${2:-Security incident}"

# 1. Quarantine immediately
netapi ise pxgrid apply-anc "$MAC" Quarantine

# 2. Log the action
echo "$(date) | QUARANTINE | $MAC | $REASON" >> /var/log/ise-anc.log

# 3. Get session details for investigation
netapi ise pxgrid session "$MAC" > "/tmp/incident-$MAC.json"

echo "Quarantined: $MAC"
echo "Session saved: /tmp/incident-$MAC.json"

Automated Threat Response

#!/bin/bash
# auto-quarantine.sh - Quarantine devices with >5 auth failures

# Get repeat offenders
OFFENDERS=$(netapi ise dc -f json failed --hours 1 | jq -r '
  group_by(.mac) |
  map(select(length > 5)) |
  .[].mac
')

for MAC in $OFFENDERS; do
  echo "Quarantining repeat offender: $MAC"
  netapi ise pxgrid apply-anc "$MAC" Quarantine
done

Scheduled Release

#!/bin/bash
# release-quarantine.sh - Release devices quarantined >24h

# Get quarantined endpoints
netapi ise pxgrid -f json anc-endpoints | jq -r '.[] | .macAddress' | while read MAC; do
  # Check if quarantined for more than 24 hours (requires external tracking)
  netapi ise pxgrid clear-anc "$MAC"
  echo "Released: $MAC"
done

See Also