https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450087#M536928 <HTML><HEAD></HEAD><BODY><P>Michael,</P><P></P><P>Are you following either of our guides:</P><P><A href="https://community.cisco.com/migration-blogpost/8138">ISE 2.1 and WSA via pxGrid and CA-Signed Certificates</A></P><P><A href="https://community.cisco.com/docs/DOC-68290">How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid</A></P><P>?</P></BODY></HTML> Mon, 06 Feb 2017 22:20:42 GMT thomas 2017-02-06T22:20:42Z https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450084#M536921 <HTML><HEAD></HEAD><BODY><P>I'm having some issues with WSA integration.</P><P></P><P>I've enabled pxGrid on ISE have the cert signed with both client and server auth.&nbsp; </P><P></P><P>The root cert is uploaded to the WSA. I signed the WSA client cert with the pxGrid template.</P><P></P><P>When I do a test I get the following.</P><P></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Checking DNS resolution of ISE pxGrid Node hostname(s) ...</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Success: Resolved '172.16.2.17' address: 172.16.2.17</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Validating WSA client certificate ...</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Success: Certificate validation successful</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Validating ISE pxGrid Node certificate(s) ...</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Success: Certificate validation successful</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Validating ISE Monitorting Node Admin certificate(s) ...</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Success: Certificate validation successful</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Checking connection to ISE pxGrid Node(s) ...</SPAN></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Success: Connection to ISE pxGrid Node was successful.<BR />Retrieved 17 SGTs from: 172.16.2.17</SPAN></P><P></P><P><SPAN style="color: #000000; font-family: verdana, arial, sans-serif; font-size: 11px;">Checking connection to ISE Monitorting Node (REST server(s)) ...</SPAN></P><P><SPAN style="font-family: verdana, arial, sans-serif; font-size: 11px; color: #990000;">Failure: Connection to ISE Monitorting Node timed out</SPAN></P><P><SPAN style="color: #990000; font-family: verdana, arial, sans-serif; font-size: 11px;">Test interrupted: Fatal error occurred, see details above.</SPAN></P><P></P><P>The WSA is showing in the client list on ISE.<IMG alt="wsapcgrid.JPG" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/102930_wsapcgrid.JPG" style="height: 115px; width: 620px;" /></P></BODY></HTML> Sat, 26 Nov 2016 01:27:40 GMT https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450084#M536921 michaellperrin 2016-11-26T01:27:40Z https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450085#M536924 <HTML><HEAD></HEAD><BODY><P>Got it working. I didn't have a DNS record setup for the ISE node.</P><P></P><P>I do have another question.&nbsp; When I connect a VPN user with anyconnect, The live log doesn't show the IP address of the VPN client. Maybe it's not included in the radius request?</P><P></P><P>Is there any way to get that information? I can't enforce policy if I don't know the IP.</P></BODY></HTML> Sat, 26 Nov 2016 04:14:59 GMT https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450085#M536924 michaellperrin 2016-11-26T04:14:59Z https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450086#M536926 <HTML><HEAD></HEAD><BODY><P>I was able to populate the IP address for VPN users by turning on accounting on the VPN profile.</P><P></P><P>However that user data isn't being passed to FMC or WSA.&nbsp; Windows login event are via passiveID but not the VPN logins.</P><P></P><P>Shouldn't any session be passed over via pxGrid to WSA and FMC?</P></BODY></HTML> Tue, 29 Nov 2016 16:52:51 GMT https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450086#M536926 michaellperrin 2016-11-29T16:52:51Z https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450087#M536928 <HTML><HEAD></HEAD><BODY><P>Michael,</P><P></P><P>Are you following either of our guides:</P><P><A href="https://community.cisco.com/migration-blogpost/8138">ISE 2.1 and WSA via pxGrid and CA-Signed Certificates</A></P><P><A href="https://community.cisco.com/docs/DOC-68290">How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid</A></P><P>?</P></BODY></HTML> Mon, 06 Feb 2017 22:20:42 GMT https://community.cisco.com/t5/network-access-control/wsa-integration-issue/m-p/3450087#M536928 thomas 2017-02-06T22:20:42Z