Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1326
Views
4
Helpful
3
Replies

ISE and Infoblox integration via pxGrid

Go to solution
lekang
Cisco Employee
Cisco Employee

‎05-23-2016 06:14 PM

Hi there, please refer to the following pxGrid integration document published by Infoblox.

https://www.infoblox.com/sites/infobloxcom/files/resources/infoblox-partner-brief-infoblox-ddi-cisco-ise-and-the-pxgrid-…

I could see that ISE as pxGrid subscribes to Infoblox for information such as - IP address, Infoblox Grid member, MAC/DUID, DHCP  fingerprint, host name, DHCP lease start/end, NetBIOS, client ID. Is Username not published by Infoblox DDI?

Another question - traditionally ISE learns endpoint/user attributes via Radius and profiling methods, now that we have pxGrid how do we differentiate the source of Data in ISE policy?

For example, ISE learns the endpoint IP address from Radius request and Infoblox (via pxGrid) at the same time, is there a way in ISE Authz policy we can choose the IP address attribute in one way or the other?

Regards, CK

1 Accepted Solution

Accepted Solutions

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎05-24-2016 08:10 AM

Hey CK,

ISE does not subscribe to Infoblox.

Infoblox will subscribe to the ISE pxrid node and consume the following session information: account session id, audit session id, EPS Status, IP Address, MAC Address, NAS IP Address, NAS Port ID, Posture Status and Posture Time Stamp.

These session attributes will be used to populate the Infoblox IPAM table.

Infoblox publishes dynamic topics such as DHCP, so other pxGrid clients on the grid can subscribe to this topic and take action based on their policies. Partners who wish to use these features must work with Infoblox to implement these features. ISE today can not subscribe to these dynamic topics and ISE can not consume this information,

Infoblox can also provide ANC mitigation actions based on a violation of their policies.

pxGrid publishes the ISE session information which comes from the authenticated user session: username, endpoint device, etc. if you're interested, please email me and i will send you a list of available session attributes. It is up to the partner on how to implement pxGrid for their solution.  Some partners will query off an IP address and receive ISE contextual information such as username, MACaddress, EndpointProfile and incorporate this within their policies.


We are currently working with infoblox on thier pxGrid integration, if you have any other questions, please feel free to email me directly as well.

Thanks,

John

View solution in original post

3 Replies 3

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎05-24-2016 08:10 AM

Hey CK,

ISE does not subscribe to Infoblox.

Infoblox will subscribe to the ISE pxrid node and consume the following session information: account session id, audit session id, EPS Status, IP Address, MAC Address, NAS IP Address, NAS Port ID, Posture Status and Posture Time Stamp.

These session attributes will be used to populate the Infoblox IPAM table.

Infoblox publishes dynamic topics such as DHCP, so other pxGrid clients on the grid can subscribe to this topic and take action based on their policies. Partners who wish to use these features must work with Infoblox to implement these features. ISE today can not subscribe to these dynamic topics and ISE can not consume this information,

Infoblox can also provide ANC mitigation actions based on a violation of their policies.

pxGrid publishes the ISE session information which comes from the authenticated user session: username, endpoint device, etc. if you're interested, please email me and i will send you a list of available session attributes. It is up to the partner on how to implement pxGrid for their solution.  Some partners will query off an IP address and receive ISE contextual information such as username, MACaddress, EndpointProfile and incorporate this within their policies.


We are currently working with infoblox on thier pxGrid integration, if you have any other questions, please feel free to email me directly as well.

Thanks,

John

Go to solution
dgaikwad
Level 5
Level 5
In response to jeppich

‎07-12-2018 07:17 AM

Hi John,

We are in middle of integrating Infoblox with ISE 2.3 and were looking out for what information does Infoblox enhance for ISE.

I know that this thread is an older ones.

But would like to know if the capability has changed since then.

As I can see that Infoblox does say that ISE now subscribes to Infoblox data, such as:

IP address, Infoblox Grid member, MAC/DUID, DHCP fingerprint, host name, DHCP lease start/end, NetBIOS, client ID

More info here: https://www.infoblox.com/wp-content/uploads/infoblox-partner-brief-infoblox-ddi-cisco-ise-and-the-pxgrid-solution-platform.pdf

Could you confirm with this?

Thank you,

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to dgaikwad

‎07-12-2018 07:30 AM

Hey Dinesh,

ISE still does NOT subscribe to Infoblox and consume this information.

Infoblox publishes this information as Dynamic Topics.  pxGrid clients can subscribe to these topics and can use this

information in their policies.  Currently, we do have any pxGrid partners that can consume this information.

For more information on Infoblox published dynamic topics, please see:https://communities.cisco.com/docs/DOC-69178

Pleas email me directly, i have an updated doc if you plan on using the ISE internal CA for pxGrid certification.

Thanks,

John

jeppich@cisco.com

0 Helpful
Customers Also Viewed These Support Documents