cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2911
Views
6
Helpful
5
Comments
katmcnam
Cisco Employee
Cisco Employee

Prior to anything, make sure the WSA has basic configs (IP address, licensing, etc).

For ISE, navigate to Administration>System>Certificates>Trusted Certificates and make sure the Root CA certificate is uploaded and that it’s Trusted for Client Authentication and authentication within ISE:

Blog1.png

Navigate to Administration>System>Certificates>Certificate Signing Requests and click Generate Certificate Signing Requests (CSR). Create a Multi-Use certificate for your ISE node and once created, export it. Open it with Notepad, copy the CSR and open your AD Certificate Services page. Click on Request a certificate>advanced certificate requests, paste the CSR in the Base-64-encoded request and choose pxGrid ads the certificate template before clicking Submit. On the next page, download the certificate as Base-64 encoded.

Go back to Administration>System>Certificates>Certificate Signing Requests, check the box next to the CSR and bind the certificate and specify that the certificate will be at least used for pxGrid.

Navigate to Administration>System>Certificates>System Certificates and make sure your bond certificate is there with the pxGrid usage:

Blog2.png

Navigate to Administration>System>Deployment and click on your ISE node:

Blog3.png


Ensure that pxGrid is checked:

Blog4.png



Navigate to Administration>pxGrid Services>Settings and ensure that automatically approve new accounts is checked:

Blog5.png



Navigate to the AD certificate services and ensure that the CA certificate is downloaded if you haven’t already:

Blog6.png

Blog7.png




In the WSA, navigate to Network>Certificate Management and click on Manage Trusted Root Certificates.. to upload the CA certificate you just downloaded.

Blog8.png



Click Import:

Blog9.png



Browse to your downloaded and upload the CA certificate and click Submit:

Blog10.png


Click Submit again:

Blog11.png


Click Commit Changes to apply the changes:

Blog12.png




Navigate to Network>Identity Services Engine and click Enable and Edit Settings..

Blog13.png


In the first section, add your ISE IP or hostname, click Browse, select the CA certificate and click Upload File:

Blog14.png



In the next section, upload the CA certificate again:

Blog15.png



In the last section, choose the radio button for Use Generated Certificate and Key and click the button Generate New Certificate and Key:

Blog16.png



Fill in the certificate fields and click Generate:

Blog17.png


After Generating it, click on the Download Certificate Signing Requests… link and open the CSR in Notepad:

blog18.png

Blog19.png



Very important: Click Submit at the bottom of the page and then Commit Changes in the WSA.


After doing so, navigate back to Network>Identity Services Engine and click on Edit Settings:

Blog20.png


Open up your AD Certificate Services and click on Request a certificate:

Blog21.png

Click advanced certificate request:

Blog22.png


On the opened CSR you downloaded from the WSA, Copy this section only:

Blog23.png



Back in the AD Certificate Services, paste it, choose the pxGrid template and click Submit:

Blog24.png

Download the new certificate in Base 64 format




Back in the WSA, upload the certificate:

Blog25.png




You should see a success message at the top:

Blog26.png




On the bottom of the screen, click Start Test to verify everything is working:

Blog27.png

In the WSA, navigate to System Administration>Log Subscription and click accesslogs. Under the Custom Fields (optional), add %m

Logs.JPG

Click Submit and Commit Changes


In ISE, navigate to Administration>pxGrid Services>Clients to verify the new pxGrid node is showing up:
Blog28.png






5 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: