Prior to anything, make sure the WSA has basic configs (IP address, licensing, etc).
For ISE, navigate to Administration>System>Certificates>Trusted Certificates and make sure the Root CA certificate is uploaded and that it’s Trusted for Client Authentication and authentication within ISE:
Navigate to Administration>System>Certificates>Certificate Signing Requests and click Generate Certificate Signing Requests (CSR). Create a Multi-Use certificate for your ISE node and once created, export it. Open it with Notepad, copy the CSR and open your AD Certificate Services page. Click on Request a certificate>advanced certificate requests, paste the CSR in the Base-64-encoded request and choose pxGrid ads the certificate template before clicking Submit. On the next page, download the certificate as Base-64 encoded.
Go back to Administration>System>Certificates>Certificate Signing Requests, check the box next to the CSR and bind the certificate and specify that the certificate will be at least used for pxGrid.
Navigate to Administration>System>Certificates>System Certificates and make sure your bond certificate is there with the pxGrid usage:
Navigate to Administration>System>Deployment and click on your ISE node:
Ensure that pxGrid is checked:
Navigate to Administration>pxGrid Services>Settings and ensure that automatically approve new accounts is checked:
Navigate to the AD certificate services and ensure that the CA certificate is downloaded if you haven’t already:
In the WSA, navigate to Network>Certificate Management and click on Manage Trusted Root Certificates.. to upload the CA certificate you just downloaded.
Browse to your downloaded and upload the CA certificate and click Submit:
Click Submit again:
Click Commit Changes to apply the changes:
Navigate toNetwork>Identity Services Engine and clickEnable and Edit Settings..
In the first section, add your ISE IP or hostname, click Browse, select the CA certificate and click Upload File:
In the next section, upload the CA certificate again:
In the last section, choose the radio button for Use Generated Certificate and Key and click the button Generate New Certificate and Key:
Fill in the certificate fields and click Generate:
After Generating it, click on the Download Certificate Signing Requests… link and open the CSR in Notepad:
Very important: Click Submit at the bottom of the page and then Commit Changes in the WSA.
After doing so, navigate back to Network>Identity Services Engine and click on Edit Settings:
Open up your AD Certificate Services and click on Request a certificate:
Click advanced certificate request:
On the opened CSR you downloaded from the WSA, Copy this section only:
Back in the AD Certificate Services, paste it, choose the pxGrid template and click Submit:
Download the new certificate in Base 64 format
Back in the WSA, upload the certificate:
You should see a success message at the top:
On the bottom of the screen, click Start Test to verify everything is working:
In the WSA, navigate to System Administration>Log Subscription and click accesslogs. Under the Custom Fields (optional), add %m
Click Submit and Commit Changes
In ISE, navigate to Administration>pxGrid Services>Clients to verify the new pxGrid node is showing up:
Hi all, I've got a problem with DNS requests (IPv4 and IPv6) through our ASA.A windows clients asking the DNS Server for the IPv4 Adress of a internal hostname.At the same time (within milliseconds) the clients sends another DNS query to the DNS serv...
i have multiple interfaces in firewall when i am connected with one interface of the firewall i can ping that interface but i can't ping other interfaces of the same firewall even i am able to ping the machines working on other interfaces. can you please ...
Hello everyonewe're running two Cisco ASA 5525-X with FTD in HA(Active/Standby)FTD version 22.214.171.124FMC version 126.96.36.199In device management, i get the error "2 Devices are in corrupt state" and when i click the error i get the following : Th...
Hi, I have an issue with VPN users authentication. The problem is : if the user is member of a valid group policy , he can connect to any group policy. here are my config : cisco ASA 9.13 ldap attribute-map Classmap-name memberOf ...
Receiving Cisco AMP retroactive convictions from LOWRISK to MALICIOUS, but the files are not available in AMP/ThreatGrid as a reviewable scanned file, such that the behaviors can be extracted and mitigation be implemented based on that data. Current ...