ANC Quarantine Policy
Overview
Adaptive Network Control (ANC) enables real-time endpoint quarantine and remediation without disrupting the entire network. When a threat is detected or posture compliance fails, ISE can dynamically apply policies to isolate endpoints.
ANC Policy Types
| Policy | Effect | Use Case |
|---|---|---|
QUARANTINE |
Move to quarantine VLAN with restricted access |
Posture failure, suspicious activity, investigation |
SHUTDOWN |
Disable switch port completely |
Confirmed malware, security incident, stolen device |
PORT_BOUNCE |
Force port down/up to trigger reauthentication |
Refresh session, apply new policy, test authentication |
Prerequisites
1. Configure Quarantine VLAN
VLAN 999 (CRITICAL_AUTH_VLAN) - Isolated quarantine network
# Verify VLAN exists on switch
netapi ios exec "show vlan id 999"
# Expected output:
# VLAN Name Status Ports
# ---- -------------------------------- --------- -----------
# 999 CRITICAL_AUTH_VLAN activeNetwork access in quarantine: - Can reach remediation server (AV updates, patches) - Can reach ISE for posture assessment - Cannot reach production resources - Cannot reach other endpoint VLANs
2. Create Quarantine DACL
# Source credentials
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)
# Create quarantine DACL with limited access
netapi ise create-dacl QUARANTINE_RESTRICTED \
--acl "$(cat <<'EOF'
permit udp any host 10.50.1.21 eq 53
permit udp any host 10.50.1.1 eq 53
permit tcp any host 10.50.1.21 eq 443
permit tcp any host 10.50.1.21 eq 8443
permit tcp any host 10.50.1.50 eq 80
permit tcp any host 10.50.1.50 eq 443
deny ip any any
EOF
)" \
--descr "Quarantine DACL - DNS, ISE, and remediation server only"Breakdown: - Line 1-2: DNS to ISE and pfSense - Line 3-4: HTTPS to ISE (web portal, API) - Line 5-6: HTTP/HTTPS to remediation server (DC for Windows Update) - Line 7: Deny all other traffic
3. Create Quarantine Authorization Profile
# Create authorization profile for quarantined endpoints
netapi ise create-authz-profile Quarantine_Restricted \
--vlan CRITICAL_AUTH_VLAN \
--dacl QUARANTINE_RESTRICTED \
--descr "Quarantine profile - VLAN 999 with restricted access"4. Create ANC Policies in ISE
ANC policies are pre-configured in ISE GUI:
Policy & Work Centers → Profiling → Adaptive Network Control
Default ANC policies:
| Policy Name | Actions | Description |
|---|---|---|
|
ANC: Quarantine |
Move to quarantine VLAN |
|
ANC: Port Shutdown |
Disable switch port |
|
CoA: Port Bounce |
Force reauthentication |
Applying ANC Policies
Quarantine an Endpoint
# Source credentials
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)
# Apply quarantine policy
netapi ise anc-apply 98:bb:1e:1f:a7:13 Quarantine
# Verify ANC policy applied
netapi ise get-anc-endpointsWhat happens:
-
ISE applies ANC policy to endpoint
-
ISE sends CoA (Disconnect-Request) to switch
-
Switch disconnects endpoint session
-
Endpoint reauthenticates immediately
-
ISE matches new authorization rule that checks for ANC policy
-
Switch applies VLAN 999 + QUARANTINE_RESTRICTED DACL
-
Endpoint now in quarantine with limited access
Check Quarantine Status
# List all endpoints with ANC policies
netapi ise get-anc-endpoints
# Check specific endpoint session
netapi ise dc session 98:bb:1e:1f:a7:13
# Check authorization profile applied
netapi ise mnt session 98:bb:1e:1f:a7:13Expected output when quarantined:
VLAN: 999 (CRITICAL_AUTH_VLAN)
DACL: QUARANTINE_RESTRICTED
ANC: Quarantine (Active)
Profile: Quarantine_RestrictedRelease from Quarantine
After endpoint is remediated (AV updated, patches applied, posture compliant):
# Clear ANC policy
netapi ise anc-clear 98:bb:1e:1f:a7:13
# Force reauthentication to apply normal profile
netapi ise mnt coa-reauth 98:bb:1e:1f:a7:13
# Verify normal access restored
netapi ise dc session 98:bb:1e:1f:a7:13Expected output after release:
VLAN: 10 (DATA_VLAN)
DACL: LINUX_EAPTLS_PERMIT_ALL
ANC: None
Profile: Linux_EAPTLS_AdminsAuthorization Rule for ANC
Create authorization rule that checks for ANC policy:
# Add authorization rule for quarantined endpoints
netapi ise add-authz-rule "Wired Dot1X Closed" \
"ANC_Quarantine" \
"Quarantine_Restricted" \
--condition "Session:ANCPolicy EQUALS Quarantine" \
--position 0Rule logic:
IF Session:ANCPolicy EQUALS Quarantine
THEN
Authorization Profile: Quarantine_Restricted
(VLAN 999, DACL: QUARANTINE_RESTRICTED)|
Place this rule at the top of your authorization policy (position 0) so it matches before normal authorization rules. |
ANC Policy Workflows
Posture Failure → Quarantine
#!/bin/bash
# quarantine-on-posture-failure.sh
MAC="$1"
if [[ -z "$MAC" ]]; then
echo "Usage: $0 <MAC_ADDRESS>"
exit 1
fi
# Source credentials
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)
echo "Checking posture status for $MAC..."
# Get current session
SESSION=$(netapi ise dc session "$MAC")
# Check if posture is non-compliant (example)
if echo "$SESSION" | grep -q "PostureStatus.*NonCompliant"; then
echo "Posture non-compliant detected!"
echo "Applying quarantine..."
# Apply quarantine
netapi ise anc-apply "$MAC" Quarantine
echo "Quarantine applied. Endpoint will reauthenticate to quarantine VLAN."
else
echo "Posture is compliant. No action needed."
fiManual Investigation → Quarantine
#!/bin/bash
# manual-quarantine.sh - Quarantine endpoint for investigation
MAC="$1"
REASON="$2"
if [[ -z "$MAC" ]] || [[ -z "$REASON" ]]; then
echo "Usage: $0 <MAC_ADDRESS> <REASON>"
echo "Example: $0 98:bb:1e:1f:a7:13 'Suspicious network traffic detected'"
exit 1
fi
# Source credentials
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)
echo "=== Manual Quarantine ==="
echo "MAC: $MAC"
echo "Reason: $REASON"
echo ""
# Get current session info
echo "Current session:"
netapi ise mnt session "$MAC"
echo ""
read -p "Proceed with quarantine? (yes/no): " confirm
if [[ "$confirm" == "yes" ]]; then
echo "Applying quarantine..."
netapi ise anc-apply "$MAC" Quarantine
echo ""
echo "Quarantine applied successfully."
echo "Endpoint will be moved to VLAN 999 with restricted access."
echo ""
echo "To release:"
echo " netapi ise anc-clear $MAC"
echo " netapi ise mnt coa-reauth $MAC"
else
echo "Quarantine cancelled."
fiAutomatic Release After Remediation
#!/bin/bash
# auto-release-from-quarantine.sh
MAC="$1"
# Source credentials
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)
echo "Checking quarantine status for $MAC..."
# Check if endpoint has ANC policy
ANC_STATUS=$(netapi ise get-anc-endpoints | grep "$MAC")
if [[ -z "$ANC_STATUS" ]]; then
echo "Endpoint not quarantined."
exit 0
fi
echo "Endpoint is quarantined. Checking compliance..."
# Get posture status
POSTURE=$(netapi ise dc session "$MAC" | grep PostureStatus)
if echo "$POSTURE" | grep -q "Compliant"; then
echo "Posture is now compliant. Releasing from quarantine..."
# Clear ANC policy
netapi ise anc-clear "$MAC"
# Force reauthentication
netapi ise mnt coa-reauth "$MAC"
echo "Endpoint released. Normal access restored."
else
echo "Posture still non-compliant. Quarantine remains active."
fiSwitch Port Shutdown
For confirmed security incidents:
# Completely disable switch port
netapi ise anc-apply 98:bb:1e:1f:a7:13 Shut_Down
# Verify port disabled
netapi ios exec "show interface GigabitEthernet1/0/5 status"
# Expected: Port should show as 'disabled' or 'err-disabled'To re-enable:
# Clear shutdown policy
netapi ise anc-clear 98:bb:1e:1f:a7:13
# Manually enable port on switch
netapi ios exec "configure terminal"
netapi ios exec "interface GigabitEthernet1/0/5"
netapi ios exec "shutdown"
netapi ios exec "no shutdown"
netapi ios exec "end"Port Bounce (Force Reauthentication)
Useful for testing or applying new policies:
# Send CoA to force reauthentication
netapi ise mnt coa-reauth 98:bb:1e:1f:a7:13
# Or use ANC Port_Bounce policy
netapi ise anc-apply 98:bb:1e:1f:a7:13 Port_Bounce
# Wait for reauthentication
sleep 5
# Check new session
netapi ise mnt session 98:bb:1e:1f:a7:13Monitoring Quarantined Endpoints
List All Quarantined Endpoints
# List all endpoints with ANC policies
netapi ise get-anc-endpoints
# Filter for specific policy
netapi ise get-anc-endpoints | grep QuarantineDashboard Script
#!/bin/bash
# anc-dashboard.sh - Monitor quarantine status
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)
echo "=== ANC Quarantine Dashboard ==="
echo ""
# Count quarantined endpoints
QUARANTINE_COUNT=$(netapi ise get-anc-endpoints | grep -c Quarantine)
SHUTDOWN_COUNT=$(netapi ise get-anc-endpoints | grep -c Shut_Down)
echo "Quarantined: $QUARANTINE_COUNT endpoints"
echo "Shut Down: $SHUTDOWN_COUNT endpoints"
echo ""
# List quarantined endpoints
if [[ $QUARANTINE_COUNT -gt 0 ]]; then
echo "=== Quarantined Endpoints ==="
netapi ise get-anc-endpoints | grep Quarantine
echo ""
fi
# Recent failed authentications
echo "=== Recent Failed Authentications ==="
netapi ise dc failed --limit 5Troubleshooting ANC
ANC Policy Not Applied
# Check if ANC policy exists in ISE
netapi ise get-anc-policies
# Check endpoint ANC status
netapi ise get-anc-endpoints | grep 98:bb:1e:1f:a7:13
# Check if CoA is reaching switch
netapi ios exec "show logging | include COA"Endpoint Still Has Network Access
Possible causes:
-
Authorization rule not at top of policy
-
ANC quarantine rule must be position 0 (first rule)
-
Check: Policy & Work Centers → Authorization Policy
-
-
Endpoint hasn’t reauthenticated
-
Force reauthentication:
netapi ise mnt coa-reauth <MAC>
-
-
DACL not applied
-
Verify:
netapi ise get-authz-profile Quarantine_Restricted -
Should show
daclName: QUARANTINE_RESTRICTED
-
-
Switch not accepting CoA
-
Verify RADIUS CoA configuration on switch
-
Check:
netapi ios exec "show aaa servers"
-