topic Re: pxGrid and pxGrid Direct connector - CoA in Network Access Control

pxGrid and pxGrid Direct connector - CoA

oron.yaniv — Mon, 15 Jul 2024 19:00:30 GMT

Hi All,

question regarding CoA in pxGrid.

We will implement pxGrid with third-party integration (ARMIS / SentinalONE).

we have a couple of options, ERS / pxGrid / pxGrid direct connector (ISE 3.3).

in two if them (pxGrid / pxGrid Direct Connector), how does CoA occur?

if you can share some knowledgebase I will be thankful.

Re: pxGrid and pxGrid Direct connector - CoA

Arne Bier — Tue, 16 Jul 2024 06:26:41 GMT

Irrespective of whether or not pxGrid is involved, if a CoA is required to trigger re-auth of an endpoint, the CoA is sent from the PSN that owns the endpoint. This means the IP addresses of the PSNs must be configured on NAS devices with the correct RADIUS shared secret, and UDP/1700 must be allowed from PSN -> NAS devices.

Not sure there are any other subtleties involved. I don't have experience with pxGrid triggering the CoA, but since it's all done via API I don't believe there is any difference in how CoA is implemented

Re: pxGrid and pxGrid Direct connector - CoA

oron.yaniv — Tue, 16 Jul 2024 12:07:42 GMT

thanks for replying and sharing the info.

the question is more on the pxgrid side before the ISE mechanism even issues the CoA to NAD.

the question is focused on the PUB/SUB mechanism, and how it occurred in pxGrid. in pxGrid the communication is initiated from the Subscriber. and I expect the CoA will be issued from the subscriber. i asked myself how its worked under the hood (which pxgrid topic was involved, which request initiates from the publisher, if any)

and second question, how it occur in pxGrid direct connect?
in pxGrid Direct connect the communication changed, ISE Pulling information from external Data source (in JSON format), so in that point, after data populate or change over time - how does CoA occur?

Re: pxGrid and pxGrid Direct connector - CoA

Greg Gibbs — Tue, 16 Jul 2024 23:48:00 GMT

With pxGrid, the connection to the pxGrid pub/sub bus is initiated by the Subscriber, but all subsequent communications are issued by the Publisher (ISE). Updates published to the pxGrid pub/sub bus will be received by the Subscribers. The topics involved, depend on the Subscriber and what capabilities it supports. There is no CoA triggered by pxGrid itself by either the Publisher or Subscriber. A CoA is typically triggered by the ISE Profiler in the case that a significant profile change, an integrated system using the Adaptive Network Control (ANC) API (as is the case for Secure Network Analytics), or using the ISE MnT API.
See Introduction to the Cisco Platform Exchange Grid pxGrid in ISE for more information on pxGrid.

For pxGrid Direct, AFAIK, there is also no CoA triggered directly by this feature. If an asset attribute value changes, it will only be evaluated if a re-authentication or new auth session occurs, or if a CoA is initiated manually or via API.

Re: pxGrid and pxGrid Direct connector - CoA

thomas — Wed, 17 Jul 2024 00:23:27 GMT

pxGrid (pub/sub) is different than pxGrid Direct (REST-based data dictionary synchronization).

pxGrid achieves COA via Adaptive Network Control (ANC) APIs. This is how all of the integrated security solutions do it. You may read to read more about this from https://cs.co/ise-berg#pxgrid and https://cs.co/ise-berg#anc .