Solved: Re: ISE integration with ZScaler

watsongsg · ‎04-03-2018

We use Cisco ISE to create user credentials for BYOD access. We do this to avoid using AD (which we use for corporate devices) so that when a forced AD credential change occurs (due to security policy) that a user not changing their password on their BYOD device doesn’t lock out their AD account.

We also use ZScaler for Internet proxy access for BYOD devices.

The question is, does ISE support a user lookup by ZScaler so that we can log users on via ZScaler for traceability purposes. ZScaler to my knowledge supports AD lookup & SAML.

Does anyone have any experience of this type of deployment?

Jason Kunst · ‎04-03-2018

Thinking about the options.

SAML would only work if the user logged into a web auth portal (like guest) before going through the proxy. We don’t have the ability to create a SAML assertion from an ISE user login.

https://communities.cisco.com/docs/DOC-64018#jive_content_id_Web_Portal_access_via_SAML_SSO

A solution that may work is to ask zscaler to integrate with PXgrid for the user context. Similar to what we have done with Cisco WSA

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-WSAIntegrationDoc/b_ISE-WSAIntegration.html

Could they consume syslog from ISE?

View solution in original post

Craig Hyps · ‎04-03-2018

ISE publishes user login info including IP as well as SGT tag (TrustSec) info via pxGrid, but do not think ZScaler currently supports these options. ISE also presents a REST API for retrieval of session data but not aware that ZScaler leverages this options either. ISE presents a RADIUS interface for user auth, so that is yet another option for ZScale to authenticate a user.

Jason Kunst · ‎04-03-2018

Thinking about the options.

SAML would only work if the user logged into a web auth portal (like guest) before going through the proxy. We don’t have the ability to create a SAML assertion from an ISE user login.

https://communities.cisco.com/docs/DOC-64018#jive_content_id_Web_Portal_access_via_SAML_SSO

A solution that may work is to ask zscaler to integrate with PXgrid for the user context. Similar to what we have done with Cisco WSA

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-WSAIntegrationDoc/b_ISE-WSAIntegration.html

Could they consume syslog from ISE?

watsongsg · ‎04-03-2018

Thanks Jason,

Great answers. We were hoping to avoid the web portal option, but at least it gives us a potential (albeit unpopular) solution if we’re forced to do it.

I hadn’t considered pxGrid, so I’ll ask them the question.

No idea if they can consume syslog either, so I’ll ask.

I’ll update the thread on any responses.

Cheers,

Gareth

joosthage · ‎04-05-2018

There's currently no PXGrid integration for Zscaler; they use SAML, LDAP or Kerberos for auth mechanisms (or local DB, but lets focus on a manageable approach here :-).

I'm assuming that you won't be pushing proxy settings to the BYODs, so you'll already have a tunnel (IpSec or GRE) from your BYOD network gateway (or any other router in the datapath towards the Internet) in place to route the traffic to Zscaler. As long as you don't NAT you can use the Zscaler transaction logs to correlate client IP addresses back to the ISE 'Guest' user. Not perfect, but it should do the job.

Grtz, Joost

watsongsg · ‎04-05-2018

Many thanks Joost,

You’ve totally grasped our deployment, but unfortunately we do NAT across our CE Router……..

I haven’t given up with ZScaler yet, perhaps they may consider to support pxGrid moving forward.

Cheers, G

gbekmezi-DD · ‎04-09-2018

Does ZScaler offer an identity farming agent like Cisco Umbrella does?

joosthage · ‎04-10-2018

In a way. You can synch accounts through LDAP or AD (use filters to only

expose those accounts & attributes you want), but in most cases you're best

of by using SAML with auto-provisioning (where Zscaler consumes attributes

provided by the SAML token).

Zscaler can't do this through reading the AD event viewer (or similar

methods) which is probably what you were looking for.