Overview
The Cisco ISE integration is a containment (response) integration that is called from playbook action blocks. It lets you contain a suspicious or malicious endpoint on the network by quarantining it, removing it from quarantine, or terminating its active session.
Setting Up the Integration
Add a Cisco ISE asset from the Integrations / Assets screen and fill in the following fields.
| Field | Required | Description |
|---|---|---|
| Host | Yes | IP address or hostname of the Cisco ISE device |
| Port | Yes | Cisco ISE API port (depends on your environment, typically 9060 or 443) |
| Username | Yes | Cisco ISE API user name |
| Password | Yes | Password for the API user (stored encrypted) |
Prerequisites on the Cisco ISE Side
Before using the integration, make sure the following are enabled on Cisco ISE:
- External RESTful Services (ERS) API and Monitoring (MNT) API access.
- Endpoint Protection Service (EPS), which is used by the quarantine and unquarantine actions.
- An authorized API user that can perform these operations.
Testing the Connection
When you save the asset, a connection test runs automatically. A successful test confirms that the host, port, and credentials are correct.
Available Methods and the Address Field
The integration provides three action methods. Important: the "Address" field expects a different type of value depending on the method you select.
| Method | What to enter in the Address field |
|---|---|
| Terminate-Session | MAC address only |
| Quarantine | MAC address or IP address (detected automatically) |
| Unquarantine | MAC address or IP address (detected automatically) |
Terminate-Session
This method locates the active session of an endpoint by its MAC address and terminates it.
- The Address field must contain a valid MAC address, for example BC:6E:E2:EF:69:2E.
- This method does not support IP addresses.
- If an IP address is entered, Cisco ISE cannot find a matching session and the action fails (shown as CANT_COMPLETE).
Quarantine
This method places an endpoint into quarantine on Cisco ISE.
- You can enter either a MAC address or an IP address.
- The system automatically detects whether the value is a MAC or an IP and uses the correct operation.
- If the value is neither a valid MAC nor a valid IP, the action returns an error indicating that the IP or MAC parameter is missing.
Unquarantine
This method removes an endpoint from quarantine. It accepts the Address field exactly like the Quarantine method, so you can enter either a MAC address or an IP address.
Frequently Asked Questions
What should I enter in the Address field?
- If you selected Terminate-Session, enter a MAC address. IP addresses are not accepted for this method.
- If you selected Quarantine or Unquarantine, enter a MAC address or an IP address. The system detects which one you provided.
What happens if I enter an IP address for Terminate-Session?
The session is looked up by MAC address, so Cisco ISE cannot find the session and the action fails with a CANT_COMPLETE result. Always use a MAC address for Terminate-Session.
For Quarantine, both MAC and IP are accepted. Which should I use?
Both are valid. We recommend using the value that most reliably identifies the endpoint in your environment, which is usually the MAC address. If your environment tracks endpoints by IP, an IP address works as well.
Common Result Messages
| Message | Meaning |
|---|---|
| IP or MAC parameter is missing | The Address value entered for Quarantine or Unquarantine is neither a valid MAC nor a valid IP. |
| Disconnect error | Terminate-Session could not end the session, for example the session was not found. |
| Quarantine error | The quarantine operation failed on Cisco ISE. |
| Unquarantine error | The remove-from-quarantine operation failed on Cisco ISE. |
| Unknown error | Cisco ISE returned an unexpected response. |