WSA Integration Issue

michaellperrin · ‎11-25-2016

I'm having some issues with WSA integration.

I've enabled pxGrid on ISE have the cert signed with both client and server auth.

The root cert is uploaded to the WSA. I signed the WSA client cert with the pxGrid template.

When I do a test I get the following.

Checking DNS resolution of ISE pxGrid Node hostname(s) ...

Success: Resolved '172.16.2.17' address: 172.16.2.17

Validating WSA client certificate ...

Success: Certificate validation successful

Validating ISE pxGrid Node certificate(s) ...

Success: Certificate validation successful

Validating ISE Monitorting Node Admin certificate(s) ...

Success: Certificate validation successful

Checking connection to ISE pxGrid Node(s) ...

Success: Connection to ISE pxGrid Node was successful.
Retrieved 17 SGTs from: 172.16.2.17

Checking connection to ISE Monitorting Node (REST server(s)) ...

Failure: Connection to ISE Monitorting Node timed out

Test interrupted: Fatal error occurred, see details above.

The WSA is showing in the client list on ISE.

michaellperrin · ‎11-25-2016

Got it working. I didn't have a DNS record setup for the ISE node.

I do have another question. When I connect a VPN user with anyconnect, The live log doesn't show the IP address of the VPN client. Maybe it's not included in the radius request?

Is there any way to get that information? I can't enforce policy if I don't know the IP.

michaellperrin · ‎11-29-2016

I was able to populate the IP address for VPN users by turning on accounting on the VPN profile.

However that user data isn't being passed to FMC or WSA. Windows login event are via passiveID but not the VPN logins.

Shouldn't any session be passed over via pxGrid to WSA and FMC?

thomas · ‎02-06-2017

Michael,

Are you following either of our guides:

ISE 2.1 and WSA via pxGrid and CA-Signed Certificates

How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid

?