ANC Operations

Overview

Adaptive Network Control (ANC) allows external systems to apply or clear endpoint policies via pxGrid.

Service

com.cisco.ise.config.anc

Operations

applyEndpointByMacAddress, clearEndpointByMacAddress

Policies

QUARANTINE, SHUT_DOWN, PORT_BOUNCE

ANC Policies

Policy Types

Policy	Action	Use Case
QUARANTINE	Apply quarantine authz profile	Isolate suspicious endpoint
SHUT_DOWN	Disable port	Block compromised device
PORT_BOUNCE	Bounce port (reauth)	Force policy refresh

Policy

Action

Use Case

QUARANTINE

Apply quarantine authz profile

Isolate suspicious endpoint

SHUT_DOWN

Disable port

Block compromised device

PORT_BOUNCE

Bounce port (reauth)

Force policy refresh

Create ANC Policy (via ERS)

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_PAN_IP}:9060/ers/config/ancpolicy" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST \
  -d '{
    "ErsAncPolicy": {
      "name": "Quarantine_Policy",
      "actions": ["QUARANTINE"]
    }
  }'

Apply ANC Policy

Via REST

# Get ANC service endpoint
SERVICE=$(curl -sk --cert "${PXGRID_CERT}" --key "${PXGRID_KEY}" \
  "https://${ISE_PAN_IP}:8910/pxgrid/control/ServiceLookup" \
  -H "Content-Type: application/json" \
  -d '{"name": "com.cisco.ise.config.anc"}')

ANC_URL=$(echo "$SERVICE" | jq -r '.services[0].properties.restBaseUrl')
NODE_NAME=$(echo "$SERVICE" | jq -r '.services[0].nodeName')

# Get access secret
SECRET=$(curl -sk --cert "${PXGRID_CERT}" --key "${PXGRID_KEY}" \
  "https://${ISE_PAN_IP}:8910/pxgrid/control/AccessSecret" \
  -H "Content-Type: application/json" \
  -d "{\"peerNodeName\": \"${NODE_NAME}\"}" | jq -r '.secret')

# Apply policy
MAC="C8:5B:76:C6:59:62"
curl -sk --cert "${PXGRID_CERT}" --key "${PXGRID_KEY}" \
  -u "pxgrid-client:${SECRET}" \
  "${ANC_URL}/applyEndpointByMacAddress" \
  -H "Content-Type: application/json" \
  -X POST \
  -d "{
    \"macAddress\": \"${MAC}\",
    \"policyName\": \"Quarantine_Policy\"
  }"

Via netapi (future)

netapi ise pxgrid anc apply --mac "C8:5B:76:C6:59:62" --policy "Quarantine_Policy"

Clear ANC Policy

MAC="C8:5B:76:C6:59:62"
curl -sk --cert "${PXGRID_CERT}" --key "${PXGRID_KEY}" \
  -u "pxgrid-client:${SECRET}" \
  "${ANC_URL}/clearEndpointByMacAddress" \
  -H "Content-Type: application/json" \
  -X POST \
  -d "{\"macAddress\": \"${MAC}\"}"

Get ANC Status

MAC="C8:5B:76:C6:59:62"
curl -sk --cert "${PXGRID_CERT}" --key "${PXGRID_KEY}" \
  -u "pxgrid-client:${SECRET}" \
  "${ANC_URL}/getEndpointByMacAddress" \
  -H "Content-Type: application/json" \
  -X POST \
  -d "{\"macAddress\": \"${MAC}\"}"

Integration: SIEM Automated Response

#!/usr/bin/env python3
"""
Automated ANC response based on SIEM alert.
Quarantine endpoint when threat detected.
"""

import requests
import json

def apply_quarantine(mac_address, policy="Quarantine_Policy"):
    """Apply ANC quarantine policy to endpoint."""

    # pxGrid credentials
    cert = ("/path/to/client.pem", "/path/to/client.key")
    secret = get_access_secret()  # From AccessSecret API

    url = f"{ANC_REST_URL}/applyEndpointByMacAddress"

    response = requests.post(
        url,
        cert=cert,
        auth=("pxgrid-client", secret),
        json={
            "macAddress": mac_address,
            "policyName": policy
        },
        verify=False
    )

    return response.status_code == 204

# Example: Triggered by SIEM webhook
def handle_threat_alert(alert):
    """Handle incoming threat alert from SIEM."""
    mac = alert.get("endpoint_mac")
    threat_level = alert.get("severity")

    if threat_level == "CRITICAL":
        print(f"Quarantining {mac} due to critical threat")
        apply_quarantine(mac)
    elif threat_level == "HIGH":
        print(f"Monitoring {mac} - high severity")
        # Log but don't quarantine