Solved: Stealthwatch EPS Integration

scamarda · ‎09-08-2016

SW 6.8 with ISE 2.1. Getting the following error on the SMC when I manually try to quarantine: “Quarantine request failed to be sent to ISE”.

I see the client identities coming from ISE to SW so I know it is receiving ISE syslog info. I see the SMC come online and then offline on the ISE pxGrid status page. The SMC shows Client Group of ANC. All of the status indicators are green on the SMC. ISE pxGrid quarantine is working for Splunk so I am fairly certain that ISE is set up correctly.

ISE pxgrid-controller log shows:

2016-09-08 23:43:31,499 INFO [Thread-7][] cisco.pxgrid.controller.sasl.SaslWatcher -:::::- Handling authentication for user name smc-01

2016-09-08 23:43:31,503 INFO [Thread-7][] cisco.pxgrid.controller.sasl.SaslWatcher -:::::- sending success authentication for smc-01@xgrid.cisco.com

2016-09-08 23:43:32,134 INFO [pool-1-thread-85][] cisco.pxgrid.controller.common.GridRulesManager -:::::- Client smc-01@xgrid.cisco.com is not authorized for topic EndpointProtectionService:operation subscribe. error=com.cisco.pxgrid.model.core.BaseError@7ef01754[

code=<null>

description=not authorized

How do I get the SMC to be authorized for EPS?

Charlie Moreton · ‎09-09-2016

Sounds like you might have missed just one step.

In ISE, navigate to Administration > pxGrid Services, check the box next to your StealthWatch Server and click the Group button:

In the Client Group dialog, assign your StealthWatch Server to the EPS group:

This should authorize SMC for EPS.

View solution in original post

Charlie Moreton · ‎09-09-2016

Sounds like you might have missed just one step.

In ISE, navigate to Administration > pxGrid Services, check the box next to your StealthWatch Server and click the Group button:

In the Client Group dialog, assign your StealthWatch Server to the EPS group:

This should authorize SMC for EPS.

scamarda · ‎09-09-2016

Charles,

You are my hero. Works like a charm now.

Thanks.

Sam

Charlie Moreton · ‎09-09-2016

Sam,

I'm glad this worked for you. Thanks for letting me know.

AndiBuchmann157 · ‎08-10-2017

hi,

sorry for digging this out, but i cant get it working..

my ise and stealthwatch are connected via pxgrid. i followed every step of the " Deploying Cisco Stealthwatch 6.9 with Cisco Identity Services Engine (ISE) 2.2 using Cisco Platform Exchange Grid (pxGrid)" Guide from John Eppich and used the ISE internal CA.

My ISE and Stealthwatch are connected as you can see in the screenshots right here: