Adaptive Network Control (ANC) is a feature of Cisco Identity Services Enginer (ISE) that can be used to monitor and control network access of authenticated endpoints. With ANC you have the ability to quarantine and endpoint by restricting access with a Downloadable ACL (DACL), shutting down the interface or assigning a TrustSec Scalable Group Tag (SGT). ANC is a manual process that can be triggered by an administrator. ANC requires ISE Plus License, the Base license is also required.
This post covers only the configuration of ANC and assumes Cisco ISE and 802.1x is setup and working. The posts below maybe useful to assist when configuring Cisco ISE and Cisco switches in order to authenticate users/computers with 802.1x.
ISE Configuration
Adaptive Network Control
- Navigate to Operations > Adaptive Network Control > Policy List
- Click Add, add policy as per the table below
| Policy Name | ANC Action |
| Quarantine | QUARANTINE |
| Shutdown | SHUT_DOWN |
- Click Save
Authorization Profile
- Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles
- Click Add
- Enter and appropriate Nameg. DENY_DACL
- Tick the box DACL Name and from the drop down box select the default DACL DENY_ALL_TRAFFIC
- Click Save
Authorization Policy – Global Exceptions
- Navigate to Policy > Policy Sets
- Modify your existing Policy
- Under the Authorization Policy – Global Exception, create a new rule
| Rule Name | Conditions | Profiles |
| ANC Shutdown | Session:ANC-Policy EQUALS Shutdown | DenyAccess |
| ANC Quarantine | Session:ANC-Policy EQUALS Quarantine | DENY_DACL |
Verification and Testing
- Login to a computer as a user and confirm authentication in the ISE Live Logs
- Login to the CLI of the switch
- Run the command show authentication session interface <interface x/y/z>
- Navigate to Operations > Adaptive Network Control > Policy List
- Click Add
- Enter the mac address of the endpoint, this can be found under the Endpoint ID column in the ISE Live Logs
- From the Policy Assignment drop down menu select Quarantine
- Click Submit
If successful, within seconds you should see a message indicating the mac address has re-authorized and the DACL DENY_ANY_TRAFFIC as configured in the Exception Policy has been applied.
From the ISE Live Logs we can see the first event indicates the COA (change of authorization) event being sent to the client. The client is then successfully authorized to the ANC Quarantine rule, which returns the DENY_DACL Authorization Profile which is referencing the DENY_ANY_TRAFFIC.
- Run the command show authentication session interface <interface x/y/z>
From the output below we can confirm the user was successfully authenticated, but this time we can see that the DACL has been applied for this user.
- In order to un-quarantine the user, navigate to Operations > Adaptive Network Control > Policy List
- Select the box next to the mac address of the endpoint
- Click Trash > Selected
- Click Yes
On the switch we can see the messages indicating COA was successful and the endpoint authenticated and authorized successfully.
In the ISE Live Logs we can see the initial authorization against the ANC Quarantine Exception rule, then 10 minutes later after un-quarantining the endpoint we see authorization against the normal rule.
The same procedure can be run for shutting down the interface, the only difference is that the shutdown interface has to be manually re-enabled (no shutdown). The endpoint should also be removed manually from the quarantine list as above.