cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
166
Views
0
Helpful
0
Replies

ISE-PIC 3.2 not sending username-IP mappings to WSA 15.2.0-164

Scott123
Level 1
Level 1

I have ISE-PIC 3.2.0.542 Patch 5 which is successfully receiving user login sessions from AD agent but it is not sending username-IP mappings our WSA web proxy (15.2.0-164).

WSA can connect to ISE-PIC via pxGrid and query user sessions and AD groups but ISE-PIC does not pass username-IP mappings when it learns of user AD logons from AD Agents. ISE-PIC does not send any packets to WSA according to packet captures on ISE-PIC when user logon event occur.

Any help would be appreciated.

Details:
WSA and ISE-PIC are configured according to admin and integration guides, pxGrid certificates, ISE-PIC ERS certificate and WSA appliance certificate are signed by the same CA. The root and intermediate CA certificates are imported in WSA and ISE-PIC trusted cert stores, and in the WSA > ISE config section.

The TAC has confirmed it is not a certificate issue and the "WSA > ISE > Test Communication with ISE Nodes" test is successful, WSA has an Identity Profile using ISE and an Access Policy using an AD group learnt from ISE-PIC.

Packet captures taken from ISE-PIC and WSA show that ISE-PIC does not send any packets to WSA unless I run a comms test from WSA or click on "Authorized Users and Groups > Selected Groups and Users > ISE Groups" in WSA.

wsa_domain_start_test_ised appears in ISE-PIC > subscribers > Client Managment > clients > pxGrid Clients. The TAC assures me  that only this one line should appear here.

WSA software version: 15.2.0-164 , model S195
ISEPIC software: 3.2.0.542 Patch 5, running in ESXi vm

WSA ISE Comms test output:

Validating WSA client certificate ...
Success: Certificate validation successful
Validating ISE pxGrid Node certificate(s) ...
Success: Certificate validation successful
Checking connection to ISE pxGrid Node(s) ...
Trying primary PxGrid server...
Preparing TLS connection...
Completed TLS handshake with PxGrid successfully.
Trying download user-session from (https://ise-pic.domain:8910)...
Able to Download 34 user-sessions.
Trying connecting to primary ERS service...
Trying download user-groups...
Able to Download 2 user-groups.
Success: Connection to ISE pxGrid Node was successful.
Test completed successfully.

 

0 Replies 0