cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

ISE 2.1 and StealthWatch Integration via Self-Sign Certs

8400
Views
3
Helpful
13
Comments
Cisco Employee

This blog post is going to be going over integration ISE 2.1 and Stealthwatch via pxGrid with self-signed certificates. I personally like using CA-Signed certificates for my deployment because if I ever need to rebuild an ISE instance or pxGrid client, it's extremely easy to get it up and running again with a CA-signed certificate but this isn't always the ideal situation for everyone. For those without a PKI infrastructure or for lab environments, it's pretty easy to set up pxGrid integration without an external PKI infrastructure.

I'm going to be using ISE 2.1 and StealthWatch 6.8 to demonstrate this and going through this very quickly. If you would like to read more details about pxGrid integration or various other methods of deployment, please go to the ISE Design Zone to view the ISE Guides here.

In ISE, navigate to Administration>System>Deployment and click on the name of the ISE node that you would like to be running your pxGrid services. In the Edit Node screen, make sure that the box next to pxGrid is checked and click Save.

ISE Blog Post.JPG

Navigate to Administration>System>Certificates>System Certificates and make sure the default self-signed certificate is enabled for pxGrid by checking the box next to it and clicking Edit:

ISE2.JPG

After making sure that pxGrid is enabled for this certificate, click the Export button to export the certificate. You should be only exporting the public certificate, not the private key.

ISE3.JPG

ISE4.JPG

We want to make sure that ISE will accept requests from all pxGrid clients without additional approval while we're setting this up so navigate to Administration>pxGrid Services>Settings and check the box next to Automatically approve new accounts and click Save.

ISE5.JPG

Switching over to Stealthwatch Management Center, click on Admin User>Administer Appliance and then navigate to Configuration>Certificate Authority Certificates. On this screen, upload the ISE self-signed certificate that you just exported.

ISE6.JPG

SSH to your StealthWatch Management Center using the root credentials and create a key with the following command:

openssl genrsa -des3 -out selfsmc.key 2048

It'll ask you to enter a passphrase. You can choose any one you wish. In this case, I just chose cisco123.

ISE7.JPG

After the key is issued, we're going to create a Certificate Signing Request from it by issuing the following command:

openssl req -new -key selfsmc.key -out selfsmc.csr

The output will ask for the passphrase immediately (cisco123) and then you fill in some basic certificate parameters. One thing to note is that at the end, you can optionally pick a challenge password if you want to use it with this CSR. I did NOT use one:

ISE8.JPG

Next we will create the self-signed SMC certificate by issuing the following command:

openssl x509 -req -days 365 -in selfsmc.csr -signkey selfsmc.key -out selfsmc.crt

It'll again ask you for the passphrase of the key (cisco123)

ISE9.JPG

The next thing I'll do is decrypt the passphrase for the key file with the following commands:

cp selfsmc.key selfsmc.key.org

openssl rsa -in selfsmc.key.org -out selfsmc.key

It'll ask for the passphrase again (cisco123)

ISE10.JPG

After this is completed, use WinSCP to connect to the StealthWatch Management Center using your root credentials and copy the files you just created over to you local disk:

ISE11.JPG

In the StealthWatch Management Center, navigate to Admin User>Administer Appliance and then navigate to Configuration>SSL Certificate.

ISE12.JPG

Scroll down to the SSL Identity Certificates at the bottom of the page and upload the self-signed .crt certificate you just created in the Target Certificate File field and the key file in the Private Key field. Click Upload to install the certificate as shown below:

ISE13.JPG

In ISE, navigate to Administration>System>Certificates>Trusted Certificates and click Import. Upload the SMC .crt file that we previously created and click Submit when done as shown below:

ISE14.JPG

In StealthWatch Management Center, navigate to Deploy>Cisco ISE Configuration if you are version 6.8 or Tools>Cisco ISE Configuration in version 6.7.1:

ISE15.JPG

Add the IP address of your ISE node and the SMC Syslog port (if different than the default). Give StealthWatch the username/password for ISE as shown below. If you have one ISE node, this should be one node but if you have a distributed deployment, this would be the MnT and PSN nodes that might send syslog traffic to the SMC. Click Save when done:

ISE16.JPG

You should get a pop-up stating that the Cisco ISE connection was successful. If you don't get that, check network connectivity between  ISE and the SMC and any firewalls that might be blocking ports.

If all is configured correctly, you should get a green circle showing that communication with ISE is established and an Add Cisco ISE Mitigation button. Click on that button for the next step:

ISE17.JPG

On the Cisco ISE Mitigation menu, pick the SMC self-signed identity certificate we previously installed from the drop-down menu and then add the name and IP address of the ISE primary Admin node and optionally the secondary Admin mode and then click Save:

ISE18.JPG

You should get a pop-up showing that the connection to the ISE mitigation nodes were successful.

In ISE, navigate to Operations>Adaptive Network Control>Policy List. We are going to need to add an ANC policy before we can start quarantining devices. Click Add. Give the policy a name of Quarantine and choose the action of Quarantine:

ISE19.JPG

Next we'll need to create a global exception rule for quarantining. Go to your Exceptions for your Authorization policy and create the following rule:

Name: ANC (or whatever you want to call it)

Conditions: Session:EPSStatus EQUALS Quarantine

Then: DenyAccess (Or whatever level of access you want to give quarantined users)

ISE20.JPG

Navigate to Administration>pxGrid Services>Clients and you should see your SMC client. Check the box next to the SMC client and then click the Group button:

ISE21.JPG

Under the Client Group, remove Basic and add EPS. Then click Save.

ISE22.JPG

Your SMC client should now display as this:

ISE23.JPG

Next we will configure the Stealthwatch Management Center as a remote logging target. In ISE, navigate to Administration>System>Logging>Remote Logging Targets and click Add:

ISE24.JPG

Name the remote target whatever you would like and make sure the IP address is pointed towards the Stealthwatch Management Center. For the port, choose the one defined previously in the ISE configuration over in the Stealthwatch Management Center (3514 is the default). When you are done, click Submit.

ISE25.JPG

Navigate to Administration>System>Logging>Logging Categories and add your new remote logging target to the following:

- Passed Authentications

- RADIUS Accounting

- Administrative and Operational Audit

- Profiler

ISE26.JPG

ISE27.JPG

You're now done configuring ISE and StealthWatch's integration. You can pull up a Host Report in your StealthWatch Management Center and you should see a Quarantine and UnQuarantine button for that host. You should also see a history of which users have logged into that host and other contextual information provided by ISE via Syslog:

ISE28.JPG

If you click on the Quarantine button, it should trigger your Exception policy over in ISE and quarantine the endpoint. By clicking UnQuarantine, it will remove that endpoint from it's EPS status.

13 Comments
Cisco Employee

This was great help! Thanks! I could successfully integrated.

Just to share. After integration, I could not login to Java Console for awhile. I don't have Self-Signed scenario because I don't setup CA server. I haven't done any other configuration but suddenly I was able to log in Java Console after I guess within 24 hours. Just sharing tips for those who encounter the same problem I had.

Regards,

Takeshi

Cisco Employee

Check the time skew between ISE, StealthWatch and the machine you tried to login with.

I'm running version 6.7.1 but i'm not able to download the CSR from the SMC with WinSCP. It's says that the connection is refused. SSH is not running on the SMC and port 22 is disabled, maby it has to do something with that.

Cisco Employee

Go to the SMC and then Administer Appliance. Under Services, you need to enable SSH Root access. Should work now

Contributor

I followed the steps upto the mark and yet when I click on Quarentine for a host, it throws the following error message at me, "Quarantine request failed to be sent to ISE."

Am I missing something here?

The host that you are trying to Quarentine need to be an authenticated user in ISE. If you quarantine a random host it doesn't work.

Contributor

I have done the configuration as follows;

1. Integrated ISE node with Stealthwatch using CA signed certificates

2. Added a SSID over a Cisco WLC

3. Added AD as the external identity source and made the required configuration in the authorization policies

4. Logged in using user in AD using the SSID, the user logged in and I am able to see the host as well as the user in SMC

5. Did a quarentine for the user, yet it fails with the above error message.

Beginner

Nice Blog Katherine! Will this be successful in ISE 2.1 and Stealthwatch 6.7 environment?

Cisco Employee

Yes, it should be. On an unrelated note, I would recommend to upgrade to 6.8.3 for Stealthwatch just on general usability

Hello Katherine, I am interested in Stealthwatch and ISE integration.

Does Stealthwatch able to do automatic mitigation via Cisco ISE?

Do you have any best practise documents on how to tune Stealthwatch? I have deployed Stealthwatch in my environment using SPAN, all i get is undefined tcp and udp and https in top application section.

What is the best way to use Stealthwatch as a sensor?

After following the official integration whitepaper which resulted in an incomplete configuration I stumbled upon this post which is 100% accurate.

Thank you

Beginner

Hi Katherine, I am using ISE2.1 and SMC 6.8.4, I get an error while adding ISE node for mitigation in SMC, the error is: "The connection to the ISE mitigation node(s) has timed out. Refer to the ISE Configuration Help topic for troubleshooting". And, the cause for this is Mitigation cannot be added using a SelfSigned Certificate.

Beginner

Hello Katherine,

 

Would this procedure work with ISE 2.4 and Stealthwatch 7.0 as a combination?

 

Thank-you,

 

Robert C.