Introduction
This document describes how to configure Cisco Identity Service Engine 3.3 pxGrid Direct Connector with external REST APIs to get endpoints data.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Components Used
The information in this document is based on these software and hardware versions:
- Cisco ISE 3.3
- REST API Server that provided JSON data for endpoints attributes
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Cisco pxGrid Direct helps to evaluate and authorize the endpoints faster by enabling you to connect to external REST APIs that provide JSON data for endpoint attributes and fetch this data into the Cisco ISE database. This feature eliminates the need to query for endpoint attribute data each time an endpoint must be authorized. You can then use the fetched data in authorization policies.
pxGrid Direct helps collect data based on the attributes you specify in your pxGrid Direct configurations. Two mandatory fields called Unique Identifier and Correlation Identifier are used to fetch relevant data. If a connector does not contain values for either of these fields, the fetching and saving of data from a connector can be erroneous.
Configure pxGrid Direct Connectors
Step 1. Add a new pxGrid Direct Connector
In order to configure pxGrid Direct Connector, from ISE navigate to Administration > Network Resources > pxGrid Direct Connectors. Click Add.![Add a New pxGrid Direct Connector](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-00.png)
Once the Welcome page for the pxGrid Direct Connect Wizard is open click ![Let's Do It Button](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-01.png)
![pxGrid Direct Connect Wizard](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-02.png)
Step 2. Define the pxGrid Direct Connector
Give a name to the connector, and a description, if needed. Click Next.
![Define the pxGrid Direct Connector](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-03.png)
Warning: Check the Skip Certificate Validations check box to allow Cisco ISE to accept any certificate that a server presents without verifying the hostname or other details. You must check this check box only in a test environment or if you trust the connected server to be highly secure. Typically, skipping certificate validations could make your network vulnerable to machine-in-the-middle attacks.
Step 3. URL
- Type the URL of the external REST API that provides JSON data for endpoints attribute.
- Under Authentication, enter the username and password of the external REST API server.
- Select Test Connection, wait for the Successful message, then Click Next.
![Add URL for px Grid Direct Connector](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-04.png)
Tip: The Incremental URL is optional for the configuration. In case the External REST API has Request Arguments, these can be used to get the latest information by filtering with the specific argument instead of requesting all the data. Ensure the Request Argument exist with the documentation of the External REST API server.
Step 4. Schedule
Select the Schedule for a FULL SYNC.
- Default value - 1 week
- Minimum value - 12 hours
- Maximum value - 1 month
Select the Schedule for INCREMENTAL SYNC. This option only appears if it was configured in Step 3.
- Default value - 1 day
- Minimum value - 1 hour
- Maximum value - 1 week
Click Next.
![Schedule will Trigger from pxGrid Direct Connector](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-05.png)
Step 5. Parent Object
You must type the JSON key to search for attributes.
![Parent Object JSON](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-06.png)
Step 6. Attributes
Select the Attributes of the JSON to configure Dictionary Items that can be used for policies.
In this scenario, the attributes included in Dictionary are:
- asset
- ip_address
- mac_address
- os_version
- sys_id
- sys_update
- u_segmentation_group_tag
Click Next.
![Attributes for the Endpoints](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-07.png)
Step 7. Identifiers
- Select the Unique Identifier attributes that are unique to an endpoint from the CMDB database and where the External REST API server obtains the JSON.
- Select the Correlation Identifier attributes that are unique to ISE and that can match an endpoint to an authorization policy.
Click Next.
![Identifiers for pxGrid Connector Dashboard](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-08.png)
Step 8. Summary
Ensure the pxGrid Direct Connector is configured properly. Click Done.
![Summary for Configuration to Verify if Configured Properly](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-09.png)
Once the connector is done, it appears under the pxGrid Direct Connectors page.
![Connector is Done](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-10.png)
Step 9. Verification
From ISE, navigate to Policy > Policy Elements > Dictionary > System Dictionaries. Filter by the name of your pxGrid Direct Connector. Select it and click View.
![System Dictionary](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-11.png)
Navigate to Dictionary Attributes and see the list of attributes configured as Dictionary Items under step 6.
![Dictionary Attribute](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-12.png)
Context Visibility pxGrid Direct Dashboard
From ISE, navigate to Context Visibility > Endpoints > More > pxGrid Direct Endpoints. A list appears of the endpoints with the values selected for Correlation and Unique Identifiers.
Click the Correlation ID to view the Details, or Download the attributes of an specific endpoint.
![pxGrid Dashboard](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-13.png)
Authorization Policy Configuration with pxGrid Direct Dictionary
From ISE, navigate to Policy > Policy Sets > Select a Policy Set > Authorization Policy. Click the gear icon in any of the Authorization Policies and Select Insert.
Give a name to the rule and add a new condition to open the Condition Studio.
Click to add a new attribute, navigate to Unclassified, and under Dictionary filter by the name of the pxGrid Direct Connector.![Conditions Studio](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-14.png)
Select an attibute that can be proccessed under an Authorization Policy, and set the vaule. Click Use.
![Condition Final Policy](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-15.png)
Select the Profile as the result of the condition. Click Save.
![Review the Policy](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-16.png)
Test the new rule. Ensure the RADIUS Live Log Details of the endpoint and the value of Authorization Policy is the same as the Rule Name with the pxGrid Direct Connector attributes.
![PERMIT-ACCESS of the User](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-17.png)
Troubleshoot
From ISE, navigate to Operation > Troubleshoot > Debug Wizard > Debug Log Configuration. Select your Primary Admin Node (PAN) and click Edit.
Filter the Component Name by pxGrid Direct and select the Log Level needed. Click Save.
![Debug Log Configuration](/c/dam/en/us/support/docs/security/identity-services-engine-33/221004-configure-and-troubleshoot-ise-3-3-pxgri-18.png)
- On ISE PAN CLI, the logs are found at:
admin#show logging application pxgriddirect-service.log
admin#show logging application pxgriddirect-connector.log
- On ISE GUI, navigate to Operations > Troubleshoot > Download Logs > Select ISE PAN > Debug log > Debug Log Type > Application Logs. Download the zip files for pxgriddirect-service.log and pxgriddirect-connector.log.
Note:
The logs for pxgriddirect-service contain information related to whether fetched endpoint data has been received and saved to the Cisco ISE database.
The logs for pxgriddirect-connector contain information that indicate whether a pxGrid Directed connector is successfully added to Cisco ISE.