cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3099
Views
2
Helpful
7
Replies

Stealthwatch EPS Integration

scamarda
Cisco Employee
Cisco Employee

SW 6.8 with ISE 2.1. Getting the following error on the SMC when I manually try to quarantine: ā€œQuarantine request failed to be sent to ISEā€.

I see the client identities coming from ISE to SW so I know it is receiving ISE syslog info. I see the SMC come online and then offline on the ISE pxGrid status page. The SMC shows Client Group of ANC.    All of the status indicators are green on the SMC.  ISE pxGrid quarantine is working for Splunk so I am fairly certain that ISE is set up correctly.

ISE pxgrid-controller log shows:

2016-09-08 23:43:31,499 INFO   [Thread-7][] cisco.pxgrid.controller.sasl.SaslWatcher -:::::- Handling authentication for user name smc-01

2016-09-08 23:43:31,503 INFO   [Thread-7][] cisco.pxgrid.controller.sasl.SaslWatcher -:::::- sending success authentication for smc-01@xgrid.cisco.com

2016-09-08 23:43:32,134 INFO   [pool-1-thread-85][] cisco.pxgrid.controller.common.GridRulesManager -:::::- Client smc-01@xgrid.cisco.com is not authorized for topic EndpointProtectionService:operation subscribe. error=com.cisco.pxgrid.model.core.BaseError@7ef01754[

  code=<null>

  description=not authorized

How do I get the SMC to be authorized for EPS?

1 Accepted Solution

Accepted Solutions

Charlie Moreton
Cisco Employee
Cisco Employee

Sounds like you might have missed just one step.

In ISE, navigate to Administration > pxGrid Services, check the box next to your StealthWatch Server and click the Group button:

Stealtwatch1.png


In the Client Group dialog, assign your StealthWatch Server to the EPS  group:

Stealtwatch2.png


This should authorize SMC for EPS.

View solution in original post

7 Replies 7

Charlie Moreton
Cisco Employee
Cisco Employee

Sounds like you might have missed just one step.

In ISE, navigate to Administration > pxGrid Services, check the box next to your StealthWatch Server and click the Group button:

Stealtwatch1.png


In the Client Group dialog, assign your StealthWatch Server to the EPS  group:

Stealtwatch2.png


This should authorize SMC for EPS.

Charles,

You are my hero.  Works like a charm now. 

Thanks.

Sam

Sam,

I'm glad this worked for you. Thanks for letting me know. 

AndiBuchmann157
Level 1
Level 1

hi,

sorry for digging this out, but i cant get it working..

my ise and stealthwatch are connected  via pxgrid. i followed every step of the " Deploying Cisco Stealthwatch 6.9 with Cisco Identity Services Engine (ISE) 2.2 using Cisco Platform Exchange Grid (pxGrid)" Guide from John Eppich and used the ISE internal CA.

My ISE and Stealthwatch are connected as you can see in the screenshots right here:

Screenshot_1.jpg

Screenshot_2.jpg

Screenshot_3.jpg

Screenshot_4.jpg

Screenshot_5.jpg

Screenshot_6.jpg

@

Which patch level is your ISE 2.2? ISE 2.2 Patch 1 can run into CSCvc81676

if i google "CSCvc81676" i cant find anything, but yes, my ISE is running exactly this version and patch

EDIT:

Screenshot_11.jpg

It's one of the bugs addressed in ISE 2.2 Patch 2, which went out last month.