Set up Cisco ISE to Identify and Quarantine IoT Devices
Integrate IoT Security with Cisco ISE to identify and
quarantine IoT devices.
As an IoT Security administrator, you can
selectively quarantine devices through Cisco ISE using PanwIoTAlertSeverity
and PanwIoTAlertType attributes. When you send ISE the quarantine
command, ISE quarantines impacted devices by applying policy rules
based on the alert severity, alert type, or both.
In addition
to configuring ISE to
identify IoT devices, configure the following on your Cisco
ISE system to quarantine IoT devices when there are security alerts:
- Add these custom endpoint attributes for IoT Security alerts: PanwIoTAlertSeverity and PanwIoTAlertType
- Create authorization profiles
- Create exception rules
- Add IoT Security endpoint attributes for alert severity and type.
- Click .
- Click theAddicon (+), enterPanwIoTAlertSeverityin the Attribute name field, and then chooseStringfrom the Type drop-down list.
- Click theAddicon (+), enterPanwIoTAlertTypein the Attribute name field, chooseStringfrom the Type drop-down list, and thenSavethe configuration.This is a possible set of attributes:PanwIoTProfile, PanwIoTIP, PanwIoTCategory, PanwIoTRiskScore, PanwIoTConfidence, PanwIoTTag, PanwIoTHostname, PanwIoTOS, PanwIoTModel, PanwIoTVendor, PanwIoTSerial, PanwIoTEPP, PanwIoTInternetAccess, PanwIoTAET, PanwIoTAlertSeverity, PanwIoTAlertType
- Create an authorization profile that allows IoT devices to access the network and associates them with the quarantine VLAN.
- Click and then clickAdd.
- Enter settings like those described below, leave the other settings at their default values:Name: Enter a name for the profile; for example:IoT-device-protectionAccess Type:ACCESS_ACCEPTVLAN: (select); Tag ID: 1;ID/Name:999, where 999 is the ID number of the quarantine VLAN.
- Submitthe settings.
- Create a condition for applying an exception rule, such as applying it when the severity is critical.
- Click and then enter the following in Editor:Click to add an attribute:Operator:EqualsAttribute value:Critical
- Savethe configuration.
- In the Save condition dialog box, selectSave as a new Library Condition, enter a name such asCritical Alert Severityin the Condition Name field, and then clickSave.
- Create authorization policy exception rule that assigns devices with critical alerts to the quarantine VLAN.
- Click and then click theArrowicon (>) to modify your existing policy set.
- ExpandAuthorization Policy - Local Exceptions, click thePlusicon (+) to add an exception rule, and then click thePlusicon (+) to add a condition.
- Click-dragCritical Alert Severityfrom the Library into the Editor and then clickUse.
- In Results-Profiles, chooseIoT-device-protection, which is the authorization profile you created for this condition.
- Savethe configuration.When you quarantine a device in the IoT Security portal, it sends the two alert attributes (PanwIoTAlertType and PanwIoTAlertSeverity) for that device (identified by its MAC address) through XSOAR to ISE. The next time that device connects to the network and requests access from Cisco ISE, the two alert attributes will match this exception rule and assign it to the quarantine VLAN.The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you then release it from quarantine, which clears the alert attributes. When the device connects to the network and again requests access from Cisco ISE, ISE reassigns it to its usual VLAN.
