Integrate the Cisco Identity Services Engine (ISE) / ISE Passive Identity Controller (ISE-PIC)
This topic contains the following sections:
Overview of the Identity Services Engine (ISE) / ISE Passive Identity Controller (ISE-PIC) Service
Cisco’s Identity Services Engine (ISE), and Passive Identity Connector (ISE-PIC) are applications that run on separate servers in your network to provide enhanced identity management. The Secure Web Appliance can access user-identity information from an ISE or ISE-PIC server. When either ISE, or ISE-PIC is configured, information is retrieved (user names and associated Secure Group Tags from ISE, user names and Active Directory groups from ISE-PIC) for appropriately configured Identification Profiles, to allow transparent user identification in policies configured to use those profiles.
-
You can construct access policies using Secure Group Tags and Active Directory groups.
-
For users that fail transparent identification with ISE/ISE-PIC, you can configure fallback authentication with Active Directory based realms. See Fallback Authentication.
-
You can configure authentication of users in Virtual Desktop Environments (Citrix, Microsoft shared/remote desktop services etc.). See VDI (Virtual Desktop Infrastructure) User Authentication in ISE/ISE-PIC Integrations.
Note |
For more information on Secure Web Appliance ISE version support matrix, see ISE Compatibility Matrix Information.
|
Note |
*S380 and S680 models are not supported. |
Related Topics
About pxGrid
Cisco’s Platform Exchange Grid (pxGrid) enables collaboration between components of the network infrastructure, including security-monitoring and network-detection systems, identity and access management platforms, and so on. These components can use pxGrid to exchange information via a publish/subscribe method.
There are essentially three pxGrid components: the pxGrid publisher, the pxGrid client, and the pxGrid controller.
-
pxGrid publisher – Provides information for the pxGrid client(s).
-
pxGrid client – Any system, such as the Secure Web Appliance, that subscribes to published information; in this case, Security Group Tag (SGT), Active Directory groups, user-group, and profiling information.
-
pxGrid controller – In this case, the ISE/ISE-PIC pxGrid node that controls the client registration/management and topic/subscription processes.
Trusted certificates are required for each component, and these must be installed on each host platform.
About the ISE/ISE-PIC Server Deployment and Failover
A single ISE/ISE-PIC node set-up is called a standalone deployment, and this single node runs the Administration, and Policy Service. To support failover and to improve performance, you must set up multiple ISE/ISE-PIC nodes in a distributed deployment. The minimum required distributed ISE/ISE-PIC configuration to support ISE/ISE-PIC failover on your Secure Web Appliance is:
-
Two pxGrid nodes
-
Two Administration nodes
-
One Policy Service node
This configuration is referred to in the Cisco Identity Services Engine Hardware Installation Guide as a 'Medium-Sized Network Deployment'. Refer to the network deployments section in that installation guide for additional information.
Related Topics
ISE/ISE-PIC Certificates
Note |
This section describes the certificates necessary for an ISE/ISE-PIC connection. Tasks for Integrating the ISE/ISE-PIC Service provides detailed information about these certificates. Certificate Management, provides general certificate-management information for AsyncOS. |
A set of two certificates is required for mutual authentication and secure communication between the Secure Web Appliance and each ISE/ISE-PIC server:
-
Web Appliance Client Certificate – Used by the ISE/ISE-PIC server to authenticate the Secure Web Appliance.
-
ISE pxGrid Certificate – Used by the Secure Web Appliance to authenticate an ISE/ISE-PIC server on port 5222 for Secure Web Appliance-ISE/ISE-PIC data subscription (on-going publish/subscribe queries to the ISE/ISE-PIC server).
These two certificates can be Certificate Authority (CA)-signed or self-signed. AsyncOS provides the option to generate a self-signed Web Appliance Client Certificate, or a Certificate Signing Request (CSR) instead, if a CA-signed certificate is needed. Similarly, the ISE/ISE-PIC server provides the option to generate self-signed ISE/ISE-PIC pxGrid certificates, or CSRs instead if CA-signed certificates are needed.
Related Topics
Using Self-signed Certificates
When self-signed certificates are used on the ISE/ISE-PIC server, the ISE/ISE-PIC pxGrid certificate developed on the ISE/ISE-PIC server, as well as the Web Appliance Client Certificate developed on the Secure Web Appliance must be added to the Trusted Certificates store on the ISE/ISE-PIC server (On ISE - Administration > Certificates > Trusted Certificates > Import; on ISE-PIC - Certificates > Trusted Certificates > Import).
Caution |
We do not recommend using self-signed certificates for authentication as it is not as secured as other authentication methods. Also, a self-signed certificate does not support revocation policy. |
Using CA-signed Certificates
In the case of CA-signed certificates:
-
On the ISE/ISE-PIC server, ensure the appropriate CA root certificate for the Web Appliance Client Certificate is present in the Trusted Certificates store (Administration > Certificates > Trusted Certificates).
-
On the Secure Web Appliance, ensure the appropriate CA root certificates are present in the Trusted Certificates list (Network > Certificate Management > Manage Trusted Root Certificates).
-
On the Identity Services Engine page (Network > Identity Services Engine), be sure to upload the CA root certificate for the ISE/ISE-PIC pxGrid certificate.
Fallback Authentication
For user information not available in ISE/ISE-PIC, you can configure a fallback authentication. Ensure you have the following for successful fallback authentication.
-
Identification profile configured with a fallback option of Active Directory based realm.
-
Access policy with the correct Identification profile which contains the fallback option.
Tasks for Integrating the ISE/ISE-PIC Service
Note |
|
Note |
|
Step |
Task |
Links to Topics and Procedures |
---|---|---|
1 |
Generate certificate through ISE/ISE-PIC device |
|
2 |
Configure the ISE/ISE-PIC for Secure Web Appliance access. |
Configuring ISE/ISE-PIC server for Secure Web Appliance Access |
3 |
Configure and enable ISE/ISE-PIC Services in the Secure Web Appliance. |
|
4 |
If the Secure Web Appliance Client Certificate is self-signed, import it to ISE/ISE-PIC. |
Import the Self-signed Secure Web Appliance Client Certificate to ISE/ISE-PIC Standalone Deployment Import the Self-signed Secure Web Appliance Client Certificate to ISE/ISE-PIC Distributed Deployment |
5 |
If required, configure logging in the Secure Web Appliance. |
|
6 |
Acquire ISE/ISE-PIC ERS server details. |
Related Topics
Generating Certificate through ISE/ISE-PIC
Note |
The certificate that is generated through the ISE/ISE-PIC device must be in the PKCS12 format. |
-
ISE/ISE-PIC:
Procedure
Step 1 |
Choose Work Centres > PassiveID > Subscribers > Certificates. |
||||
Step 2 |
Choose PKCS 12 format from the Certificate Download Format drop-down list. Enter other appropriate information on the Certificates tab and generate a pxGrid certificate. |
||||
Step 3 |
Extract Root CA, Web Appliance Client Certificate, and Web Appliance Client Key from the generated XXX.pk12 file using the
|
Configuring ISE/ISE-PIC server for Secure Web Appliance Access
-
ISE
-
Each ISE server must be configured to allow identity topic subscribers (such as Secure Web Appliance) to obtain session context in real-time.
-
Choose Administration > pxGrid Services > Settings > pxGrid Settings.
-
Ensure Automatically approve new certificate-based accounts is checked.
Delete any old Secure Web Appliances configured that do not take part in any authentication with ISE/ISE-PIC.
Ensure the ISE server footer is green, and says Connected to pxGrid.
-
-
-
ISE-PIC
-
Each ISE-PIC server must be configured to allow identity topic subscribers (such as Secure Web Appliance) to obtain session context in real-time.
-
Choose Subscribers > Settings.
-
Ensure Automatically approve new certificate-based accounts is checked.
Delete any old Secure Web Appliances configured that do not take part in any authentication with ISE/ISE-PIC.
Ensure the ISE server footer is green, and says Connected to pxGrid.
-
-
Refer to Cisco Identity Services Engine documentation for more information.
Connect to the ISE/ISE-PIC Services
Note |
If the ISE Admin, pxGrid, and MNT certificates are signed by your Root CA certificate, then upload the Root CA certificate itself to the ISE pxGrid Node Certificate fields on the appliance (Network > Identity Services Engine). |
Before you begin
-
Be sure each ISE/ISE-PIC server is configured appropriately for Secure Web Appliance access; see Tasks for Integrating the ISE/ISE-PIC Service.
-
Obtain valid ISE/ISE-PIC-related certificates and keys. See Generating Certificate through ISE/ISE-PICfor related information.
-
Import the obtained RootCA.pem to the Secure Web Appliance (Network > CertificateManagement > TrustedRootCertificate > Client on ManageTrustedRootCertificate). To extract Root CA, Web Appliance Client Certificate, and Web Appliance Client Key from the generated XXX.pk12 file, see Generating Certificate through ISE/ISE-PIC.
Note
Follow the same procedure for RootCA.pem extracted from secondary XXXX.pk12 file (if secondary/failover ISE Sever is available).
-
The ISE configuration page in the Secure Web Appliance's web interface is used to configure ISE or ISE-PIC servers, upload certificates, and to connect to either ISE or ISE-PIC services. The steps to configure ISE or ISE-PIC are identical, and any details specific to ISE-PIC configurations have been mentioned where applicable.
-
Enable ERS if you are building access policies using Active Directory groups provided by ISE/ISE-PIC.
Procedure
Step 1 |
Choose Network > Identification Service Engine. |
||
Step 2 |
Click Edit Settings. If you are configuring ISE/ISE-PIC for the first time, click Enable and Edit Settings. |
||
Step 3 |
Check Enable ISE Service. |
||
Step 4 |
Identify the Primary Admin Node using its host name or IPv4 address and provide the following information on the Primary ISE pxGrid Node Tab on the Secure Web Appliance. |
||
Step 5 |
If you are using a second ISE/ISE-PIC server for failover, identify its Primary Admin Node using its host name or IPv4 address and provide the following information on the Secondary ISE pxGrid Node tab on the Secure Web Appliance using its host name or IPv4 address.
|
||
Step 6 |
Provide a Web Appliance Client Certificate for Secure Web Appliance-ISE/ISE-PIC server mutual authentication:
|
||
Step 7 |
Enable the ISE SGT eXchange Protocol (SXP) service. For information on enabling Secure Web Appliance to retrieve SXP binding topics from ISE services, see Enabling ISE-SXP Protocol for SGT-to-IP Address Mapping. |
||
Step 8 |
Enable the ISE External Restful Service (ERS).
|
||
Step 9 |
Click Start Test to test the connection with the ISE/ISE-PIC pxGrid node(s). |
||
Step 10 |
Click Submit. |
What to do next
Related Information
-
http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html , particularly “How To Integrate Cisco Secure Web Appliance using ISE/ISE-PIC and TrustSec through pxGrid..”
Import the Self-signed Secure Web Appliance Client Certificate to ISE/ISE-PIC Standalone Deployment
The basic steps are:
-
ISE Admin Node
-
Choose Administration > Certificates > Certificate Management > Trusted Certificates > Import.
Ensure that the following options are checked:
-
Trust for Authentication within ISE
-
Trust for client authentication and syslog
-
Trust for authentication of Cisco services
-
-
ISE-PIC Admin Node
-
Choose Certificates > Certificate Management > Trusted Certificates > Import.
Ensure that the following options are checked:
-
Trust for Authentication within ISE
-
Trust for client authentication and syslog
-
Trust for authentication of Cisco services
-
-
Refer to Cisco Identity Services Engine documentation for more information.
Import the Self-signed Secure Web Appliance Client Certificate to ISE/ISE-PIC Distributed Deployment
The basic steps are:
-
ISE Admin Node:
-
Choose Administration > Certificates > Certificate Management > Trusted Certificates > Import.
Ensure that the following options are checked:
-
Trust for Authentication within ISE
-
Trust for client authentication and syslog
-
Trust for authentication of Cisco services
-
-
ISE-PIC Admin Node:
-
Choose Certificates > Certificate Management > Trusted Certificates > Import.
Ensure that the following options are checked:
-
Trust for Authentication within ISE
-
Trust for client authentication and syslog
-
Trust for authentication of Cisco services
-
-
Refer to Cisco Identity Services Engine documentation for more information.
Note |
In Distributed ISE Deployment, the Secure Web Appliance communicates with MNT, PAN, and PxGrid nodes. In this case, the certificates or the issuer for all of the certificates, must be available in the ‘Extracted Root certificate’ i.e. in the RootCA which is generated through the ISE/ISE-PIC device. See Generating Certificate through ISE/ISE-PIC. |
Procedure
Step 1 |
Follow the steps in the Generating Certificate through ISE/ISE-PIC to generate RootCA, Web Appliance Client Certificate, and Web Appliance Client Key. |
Step 2 |
On ISE/ISE-PIC Admin Node, export the self-signed certificates manually through ISE/ISE-PIC > Administration > System > Certificates > System Certificates
Repeat the above steps for all ISE/ISE-PIC distributed nodes. |
Step 3 |
Append the downloaded certificate-files in RootCA.pem manually using
|
Step 4 |
Upload the modified RootCA.pem in the ISE configuration page of the Secure Web Appliance. See Connect to the ISE/ISE-PIC Services. |
Configuring logging for ISE/ISE-PIC
-
Add the custom field %m to the Access Logs to log the Authentication mechanism—Customizing Access Logs.
-
Verify that the ISE/ISE-PIC Service Log was created; if it was not, create it—Adding and Editing Log Subscriptions.
-
Define Identification Profiles that access ISE/ISE-PIC for user identification and authentication—Classifying Users and Client Software, on page 117.
-
Configure access policies that utilize ISE/ISE-PIC identification to define criteria and actions for user requests—Policy Configuration, on page 191.
Acquiring ISE/ISE-PIC ERS Server Details from ISE/ISE-PIC
-
Enable the Cisco ISE REST API in ISE/ISE-PIC (the APIs use HTTPS port 9060).
Note
You must enable ISE External Restful Service (ERS) on the Secure Web Appliance (Network > Identity Services Engine) to configure security policies based on groups. This is applicable to 11.7 and later versions.
-
ISE
-
Choose Administration > Settings > ERS Settings > ERS settings for primary admin node > Enable ERS.
Enable ERS for Read for All Other Nodes if there are any secondary nodes.
-
-
ISE-PIC
-
Choose Settings > ERS Settings > Enable ERS.
-
-
-
Ensure you have created an ISE administrator with the correct External RESTful Services group. The External RESTful Services Admin group has full access to all ERS APIs (GET, POST, DELETE, PUT). This user can Create, Read, Update, and Delete ERS API requests. The External RESTful Services Operator has Read Only access (GET request only).
-
ISE
-
Choose Administration > System > Admin Access > Administrators > Admin Users.
-
-
ISE-PIC
-
Choose Administration > Admin Access > Admin Users.
-
-
If the ERS service is available on separate servers, and not on the ISE/ISE-PIC pxGrid nodes, you will need the primary and secondary (if configured), servers' hostnames or IPv4 addresses.
Refer to Cisco Identity Services Engine documentation for more information.
Configure ISE-SXP Integration
This section includes the following topics:
About ISE-SXP Protocol for SGT-to-IP Address Mapping
SGT Exchange Protocol (SXP) is a protocol developed to propagate the IP-SGT bindings across network devices. A Security Group Tag (SGT) specifies the privileges of a traffic source within a trusted network.
You can integrate Cisco Identity Services Engine (ISE) deployment with Cisco Secure Web Appliance for passive authentication. Secure Web Appliance can subscribe to SXP mappings from ISE. ISE uses SXP to propagate the SGT-to-IP address mapping database to managed devices. When you configure Secure Web Appliance to use the ISE server, you enable the option to listen to the SXP topic from ISE. This causes Secure Web Appliance to learn about the SGTs and IP address mappings directly from ISE.
Secure Web Appliance generates a dummy user authentication IP addresses, which include the ISE cluster IP address along with the IP address of the client. Therefore, multiple client IP addresses can be authenticated on the cluster IP address.
Guidelines and Limitations
ISE-SXP protocol for SGT-to-IP address mapping has the following guidelines and limitations:
-
IPv6 enabled endpoints are not support in Secure Web Appliance Release 14.5.
-
In Secure Web Appliance Release 14.5, usernames and group mapping are not available in the SGT-to-IP address mappings. Therefore, the administrator cannot create policies based on ISE users and groups in Secure Web Appliance. However, it can be created with SGTs.
-
To schedule the restart timestamp for the bulk download process, you must configure time in the HH::MM format within 24 hours to restart the ised process.
Note
It is recommended that you configure the time when the user authentication process is indicated to be less in the day. For example, at 00:00 hour.
Prerequisites
ISE-SXP protocol for SGT-to-IP address mapping has the following prerequisite:
-
Requires a trusted root certificate. To add a trusted root certificate, see Managing Trusted Root Certificates.
Enabling ISE-SXP Protocol for SGT-to-IP Address Mapping
All mappings that are defined in ISE, including the SGT-to-IP address mappings can be published through SXP. You can retrieve the ISE-SXP information using the following mechanisms:
-
Bulk download—After a ised process restart, Secure Web Appliance sends the bulk download request to the ISE aggregator node in order to get information for all ISE-SXP entries that are available on the aggregator node. You can schedule the restart timestamp using AsyncOS Command Line Interface (CLI).
-
Incremental update— Secure Web Appliance subscribes over a websocket to get incremental update messages. There are two types of messages:
-
Create—for all newly created entries
-
Delete—for all SXP updated entries
Note
Secure Web Appliance receives two messages (Delete followed by Create) for each entry that is updated.
-
You are allowed to schedule restart.
Procedure
Step 1 |
Navigate to . |
||
Step 2 |
Click Edit Settings. |
||
Step 3 |
Check Enable ISE Service. |
||
Step 4 |
Check Enable to enable Secure Web Appliance to retrieve SXP binding topics from ISE services. By default, the ISE SGT eXchange Protocol (SXP) service is disabled. |
||
Step 5 |
Click Start Test to test the connection.
|
||
Step 6 |
Click Submit. |
Verifying the ISE-SXP Protocol Configuration
You can verify the ISE-SXP protocol configuration using any one of the following methods:
-
Click Start Test in the Enabling ISE-SXP Protocol for SGT-to-IP Address Mapping and verify the displayed information.
-
Use the STATISTICS command under the ISEDATA command in the AsyncOS Command Line Interface (CLI).
When you use the STATISTICS command, the following information appears:
-
ERS Hostname
-
ERS Time of Connection
-
Session Bulk Download
-
Group Bulk Download
-
SGT Bulk Download
-
SXP Bulk Download
-
Session Update
-
Group Update
-
SXP Update
-
Memory Allocation
-
Memory Deallocation
-
Total Session Count
isesxp_<ISE-node-ip>_sgt<SGT number>_<Client IP address>
For example: isesxp_10.10.2.68_sgt18_10.10.10.10VDI (Virtual Desktop Infrastructure) User Authentication in ISE/ISE-PIC Integrations
You can configure transparent identification with ISE/ISE-PIC for users on VDI environments based on the source ports used.
You must install the Cisco Terminal Services (TS) Agent, on the VDI servers. The Cisco TS agent provides the identity information to ISE/ISE-PIC. The identity information includes domain, user name, and the port ranges used by each user.
-
Download the Cisco TS agent from the support site https://www.cisco.com/c/en/us/support/index.html.
-
See the Cisco Terminal Services (TS) Agent Guide https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html for more information.
-
Configure the ISE/ISE-PIC API provider to work with a Cisco TS agent. See the Cisco TS agent documentation for information about sending API calls.
Note |
|