cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE 2.1 and WSA via pxGrid and CA-Signed Certificates

2410
Views
6
Helpful
5
Comments
Cisco Employee

Prior to anything, make sure the WSA has basic configs (IP address, licensing, etc).

For ISE, navigate to Administration>System>Certificates>Trusted Certificates and make sure the Root CA certificate is uploaded and that it’s Trusted for Client Authentication and authentication within ISE:

Blog1.png

Navigate to Administration>System>Certificates>Certificate Signing Requests and click Generate Certificate Signing Requests (CSR). Create a Multi-Use certificate for your ISE node and once created, export it. Open it with Notepad, copy the CSR and open your AD Certificate Services page. Click on Request a certificate>advanced certificate requests, paste the CSR in the Base-64-encoded request and choose pxGrid ads the certificate template before clicking Submit. On the next page, download the certificate as Base-64 encoded.

Go back to Administration>System>Certificates>Certificate Signing Requests, check the box next to the CSR and bind the certificate and specify that the certificate will be at least used for pxGrid.

Navigate to Administration>System>Certificates>System Certificates and make sure your bond certificate is there with the pxGrid usage:

Blog2.png

Navigate to Administration>System>Deployment and click on your ISE node:

Blog3.png


Ensure that pxGrid is checked:

Blog4.png



Navigate to Administration>pxGrid Services>Settings and ensure that automatically approve new accounts is checked:

Blog5.png



Navigate to the AD certificate services and ensure that the CA certificate is downloaded if you haven’t already:

Blog6.png

Blog7.png




In the WSA, navigate to Network>Certificate Management and click on Manage Trusted Root Certificates.. to upload the CA certificate you just downloaded.

Blog8.png



Click Import:

Blog9.png



Browse to your downloaded and upload the CA certificate and click Submit:

Blog10.png


Click Submit again:

Blog11.png


Click Commit Changes to apply the changes:

Blog12.png




Navigate to Network>Identity Services Engine and click Enable and Edit Settings..

Blog13.png


In the first section, add your ISE IP or hostname, click Browse, select the CA certificate and click Upload File:

Blog14.png



In the next section, upload the CA certificate again:

Blog15.png



In the last section, choose the radio button for Use Generated Certificate and Key and click the button Generate New Certificate and Key:

Blog16.png



Fill in the certificate fields and click Generate:

Blog17.png


After Generating it, click on the Download Certificate Signing Requests… link and open the CSR in Notepad:

blog18.png

Blog19.png



Very important: Click Submit at the bottom of the page and then Commit Changes in the WSA.


After doing so, navigate back to Network>Identity Services Engine and click on Edit Settings:

Blog20.png


Open up your AD Certificate Services and click on Request a certificate:

Blog21.png

Click advanced certificate request:

Blog22.png


On the opened CSR you downloaded from the WSA, Copy this section only:

Blog23.png



Back in the AD Certificate Services, paste it, choose the pxGrid template and click Submit:

Blog24.png

Download the new certificate in Base 64 format




Back in the WSA, upload the certificate:

Blog25.png




You should see a success message at the top:

Blog26.png




On the bottom of the screen, click Start Test to verify everything is working:

Blog27.png

In the WSA, navigate to System Administration>Log Subscription and click accesslogs. Under the Custom Fields (optional), add %m

Logs.JPG

Click Submit and Commit Changes


In ISE, navigate to Administration>pxGrid Services>Clients to verify the new pxGrid node is showing up:
Blog28.png






5 Comments
Cisco Employee

Could this be any more detailed?  I don't think so.  Thanks Katherine!

Beginner

Hi,

I am currently researching about this topic. As far as i understand once you complete the pxgrid communication, you prepare authorization rules like "pxGrid_Users:ExternalGroups: EQUALS lab6.com/Users/Domain Users then Engineering and Permit Access" i found this on a 1.4 document.

I wonder if in ISE 2.1 this has changed and we make this AD / ISE group mapping somewhere else?

It kind of feels strange to write down authorization rules (because for me its just for AD group - network policy assignment.)

Hope i made myself clear.

Kind regards

Sadik

Hello Katherine,

Great article!

Regards,

William Neumann

Beginner

Hi All,

I just need to know if is possible to do this with Base license and only one Plus license (to enable pxGrid node) or need buy 1:1 license Base and Plus?

The documentation of Cisco ISE demonstrate integration with Stealthwatch, FMC, InfoBlox, Blue Coat, etc but not have information about WSA and when have a little information about this is very confused.

What license do I need to integrate ISE 2.2 (or 2.3) with WSA?

Regards,

Marcelo Kiraly

Cisco Employee

See table 8

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf