Solved: Is there a step-by-step guide available for ISE-PIC + Firepower setup? Struggling with generating an...

amoskvit · ‎07-13-2017

Is there a step-by-step guide available for ISE-PIC + Firepower setup? Struggling with generating and importing certificates

Timothy Abbott · ‎07-19-2017

Andrey,

Unfortunately, we do have one just yet but I believe John Eppich is working on one. In the mean time, you can use the integration guide in the docs section of this community for ISE-PIC and StealthWatch. The process is very similar.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎07-17-2017

Andrey,

Are you using the CA built into ISE-PIC?

Regards,

-Tim

amoskvit · ‎07-17-2017

Yes, I would love to use it in as simple setup as possible for PoCs - without any integrations with customer's or third-party CA

Timothy Abbott · ‎07-19-2017

Andrey,

Unfortunately, we do have one just yet but I believe John Eppich is working on one. In the mean time, you can use the integration guide in the docs section of this community for ISE-PIC and StealthWatch. The process is very similar.

Regards,

-Tim

amoskvit · ‎07-19-2017

Thanks Tim!

Is there a chance to get access to draft of document?

And I will put it on test ☺

Struggle with Firepower side, not ISE, so Stealthwatch guide is not very helpful

paul · ‎07-24-2017

Here is how I handle it with Full ISE which should be very similar to ISE PIC:

Once I get my full deployment put together I like to make sure the internal CA is truly reflective of the deployment setup. Go to the Certificate Authority Certificates screen in ISE and delete all the certificates.
Then go Certificate Signing Request screen and generate Certificate Signing Request.
In the drop down for certificate use select ISE Root CA. This will recreate the entire CA/SubCA structure for the Internal ISE CA.
Now if you look at each of the nodes (assuming running 2.2) you will see a cert from the internal CA installed on each node. Set that to be your pxGrid cert.
Go back to the Certificate Authority Certificates and export the Root CA cert which will be on the primary admin node.
Now the CA is ready to rock and you have the root CA cert you need for FMC.
Now you are ready to issue certs/private keys from ISE. Skip the BS of trying to do any of this on the CLI of FMC or using OpenSSL. Go the pxGrid Services screen and generate a new cert without a CSR which will give you a cert and private key you can export and install on FMC.
Also on the pxGrid section enable automatically activate/approve certificate based authenticated pxGrid clients. No need to approve these connections when you are generating all the certs from ISE in my opinion.
Finally on FMC you do the ISE integration and point to your primary and secondary pxGrid servers. The root CA cert is loaded for both root CA options. Install the cert and private key you generated from ISE pxGrid services.
Now you can run the connectivity test. To really ensure it is working go into a rule in FMC and go to the SGT section of the rule and verify you can see the SGT tags and profiling groups coming from ISE.

FMC integration with ISE pxGrid using internal certs is very straight forward.

amoskvit · ‎08-01-2017

Thanks Paul! Saved my day

thomas · ‎07-24-2017

ISE Design & Integration Guides > Cisco Firepower Management Center