Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
0
Helpful
4
Replies

ISE / Stealtwatch integration doesn't work

peter.peng
Level 1
Level 1

‎11-07-2018 06:12 AM

my ise and stealthwatch are connected  via pxgrid. i followed every step of the " Deploying Cisco Stealthwatch 6.10.2 with Cisco Identity Services Engine (ISE) 2.4.0.375 using Cisco Platform Exchange Grid (pxGrid)" Guide from John Eppich and used the ISE internal CA.

 I had setup these configuration by below document, But I can't quarantine these Host. It will show below error message.

Deploying Certificates with Cisco pxGrid - Using Self-Signed Certificates Updates to Cisco ISE 2.0/2.1/2.2

https://community.cisco.com/t5/security-documents/deploying-certificates-with-cisco-pxgrid-using-self-signed/ta-p/3639607

https://www.network-node.com/blog/2016/5/30/stealthwatch-and-ise-integration-with-ca-signed-certificate

 

My ISE and Stealthwatch are connected as you can see in the screenshots right here:

螢幕快照 2018-11-07 下午9.54.53.png螢幕快照 2018-11-07 下午10.06.41.png螢幕快照 2018-11-07 下午9.50.35.png

0 Helpful
4 Replies 4

Timothy Abbott
Cisco Employee
Cisco Employee

‎11-07-2018 11:21 AM

Hey Peter,

Based on your screenshots, it looks like you have the integration setup correctly. Can you share any other details regarding the error? The reason I ask is because I'm trying to determine if the issue is with ISE or SW.

Regards,
-Tim
0 Helpful

Surendra
Cisco Employee
Cisco Employee

‎11-07-2018 12:42 PM

Can you give us the output when you click on "show details" on the error pop-up?
0 Helpful

kthiruve
Cisco Employee
Cisco Employee

‎11-07-2018 01:45 PM

As Tim mentioned the Pxgrid configuration seems Ok.

However from the screenshot I see that the status for the host in stealthwatch UI shows inactive. Can you clear the authentication session on the switch or do a shut/no shut on the switchport. It has to show active. Also make sure you are generating the right traffic based on security events configured if you are capturing a policy violation. Make sure you also see the sessions in ISE.

 

-Krishnan

0 Helpful

peter.peng
Level 1
Level 1
In response to kthiruve

‎11-07-2018 06:08 PM

Hi Sir:

   Refers to your description. I have below issue.

1.If ISE want to block the host. It must control the switch. It will send the ACL to the switch by dACL. Right ?

2.If ISE want to control the switch. What kind the function it must setup in the switch ?

   AAA/EAP/802.1x......

3.In my lab. I just implement the vm host of ISE / Stealthwatch / FMC / FDM / Kali / Win 7. I didn't implement switch Cisco. So it can't send the dACL to Stealthwatch from ISE and block the kali ?

 

0 Helpful
Customers Also Viewed These Support Documents