pxGrid Integration with Cisco StealthWatch using Microsoft CA
Objective
This blog will help the readers to configure their Cisco StealthWatch (7.X) and Cisco ISE appliance over pxGrid.
What is pxGrid?
Cisco pxGrid provides a unified framework that enables ecosystem partners to integrate to pxGrid once, and then share context bidirectionally with many platforms without the need to adopt platform-specific APIs. Using pxGrid, we can integrate the Cisco ISE and Cisco StealthWatch, which can allow ISE to enrich information captured by Cisco StealthWatch with information captured by Cisco ISE over the network.
Topology
![Screenshot 2022-01-02 at 20.49.08.png Screenshot 2022-01-02 at 20.49.08.png](https://community.cisco.com/t5/image/serverpage/image-id/140429i406C4D4C854A8BFA/image-size/large?v=v2&px=999)
Step 1: Setup CA Server
- Setup the Group policy for Auto Enrolment for both Computer Configuration and User Configuration
![Screenshot 2022-01-02 at 20.33.04.png Screenshot 2022-01-02 at 20.33.04.png](https://community.cisco.com/t5/image/serverpage/image-id/140422i9045C9640CA85CF8/image-size/medium?v=v2&px=400)
- Open the Windows CA Server
- Right-Click and Duplicate User template->Select Windows 2003 Enterprise->OK
- Enter name of certificate template, uncheck “Publish certificate in Active Directory”, and provide validity period and renewal period.
![Screenshot 2022-01-02 at 20.35.12.png Screenshot 2022-01-02 at 20.35.12.png](https://community.cisco.com/t5/image/serverpage/image-id/140423iCD226932DE649021/image-size/medium?v=v2&px=400)
- Click Extensions->Add->Server Authentication->Ok->Apply
![Screenshot 2022-01-02 at 20.36.25.png Screenshot 2022-01-02 at 20.36.25.png](https://community.cisco.com/t5/image/serverpage/image-id/140424i7AABF2EBA710614B/image-size/medium?v=v2&px=400)
- Click Subject Name, Enable Supply in the request
![Screenshot 2022-01-02 at 20.36.50.png Screenshot 2022-01-02 at 20.36.50.png](https://community.cisco.com/t5/image/serverpage/image-id/140425i6A7C5B4465318F23/image-size/medium?v=v2&px=400)
- Click Extensions->Issuance Policies->Edit->All Issuance Policies
![Screenshot 2022-01-02 at 20.37.35.png Screenshot 2022-01-02 at 20.37.35.png](https://community.cisco.com/t5/image/serverpage/image-id/140426i2692A6E7C7D16808/image-size/medium?v=v2&px=400)
![Screenshot 2022-01-02 at 20.40.54.png Screenshot 2022-01-02 at 20.40.54.png](https://community.cisco.com/t5/image/serverpage/image-id/140427iCC0016C2AFF348BD/image-size/medium?v=v2&px=400)
- Download the CA Root Cert in Base 64 format. We later need to install this certificate into both ISE and StealthWatch.
![Screenshot 2022-01-02 at 20.41.49.png Screenshot 2022-01-02 at 20.41.49.png](https://community.cisco.com/t5/image/serverpage/image-id/140428i5815F65C1750AD8D/image-size/medium?v=v2&px=400)
- Install Root Certificate into ISE: Trusted Certificates
![Screenshot 2022-01-02 at 20.52.09.png Screenshot 2022-01-02 at 20.52.09.png](https://community.cisco.com/t5/image/serverpage/image-id/140430iE417BBD6E27C1A59/image-size/medium?v=v2&px=400)
- Install the root certificate into the Stealthwatch
Landing page > Central Management > SMC > Action > Edit Appliance configuration > General > Trust Store
![Screenshot 2022-01-02 at 20.53.25.png Screenshot 2022-01-02 at 20.53.25.png](https://community.cisco.com/t5/image/serverpage/image-id/140431iDBFBC97F6AC653EF/image-dimensions/542x205?v=v2)
![Screenshot 2022-01-02 at 20.54.04.png Screenshot 2022-01-02 at 20.54.04.png](https://community.cisco.com/t5/image/serverpage/image-id/140432i72B3A9E3D5FD0410/image-dimensions/568x152?v=v2)
Step 2: Setup Cisco ISE
![Screenshot 2022-01-02 at 21.08.08.png Screenshot 2022-01-02 at 21.08.08.png](https://community.cisco.com/t5/image/serverpage/image-id/140445iD7DC256017175F71/image-dimensions/506x424?v=v2)
- Make sure that the ISE node will automatically approve new accounts by navigating to Administration>pxGrid Services>Settings
Note: Enable "Allow Password based account creation" is not required.
![Screenshot 2022-01-02 at 21.09.03.png Screenshot 2022-01-02 at 21.09.03.png](https://community.cisco.com/t5/image/serverpage/image-id/140446i75844E2625FE44C8/image-dimensions/574x223?v=v2)
- Request for a Certificate for PXGRID and generate the CSR.
![Screenshot 2022-01-02 at 21.11.08.png Screenshot 2022-01-02 at 21.11.08.png](https://community.cisco.com/t5/image/serverpage/image-id/140447i3DAAF60C1CE2752E/image-dimensions/570x443?v=v2)
- Bind the downloaded certificate
![Screenshot 2022-01-02 at 21.12.05.png Screenshot 2022-01-02 at 21.12.05.png](https://community.cisco.com/t5/image/serverpage/image-id/140448iF6F3E7BD3CD4685E/image-dimensions/588x200?v=v2)
![Screenshot 2022-01-02 at 21.12.48.png Screenshot 2022-01-02 at 21.12.48.png](https://community.cisco.com/t5/image/serverpage/image-id/140449i0EDB134B846025AE/image-dimensions/579x286?v=v2)
- Verify the certificates are installed.
![Screenshot 2022-01-02 at 21.13.42.png Screenshot 2022-01-02 at 21.13.42.png](https://community.cisco.com/t5/image/serverpage/image-id/140450iA83DC88C65DD9958/image-dimensions/583x204?v=v2)
Step 3: Setup StealthWatch
- Request for the certificate used to authenticate Stealthwatch SMC and ISE.
![Screenshot 2022-01-02 at 20.55.50.png Screenshot 2022-01-02 at 20.55.50.png](https://community.cisco.com/t5/image/serverpage/image-id/140433i9F672DD4B240B43C/image-dimensions/681x352?v=v2)
- Make sure that the ISE node will automatically approve new accounts by navigating to Administration>pxGrid Services>Settings
![Screenshot 2022-01-02 at 20.56.20.png Screenshot 2022-01-02 at 20.56.20.png](https://community.cisco.com/t5/image/serverpage/image-id/140434iA99F9C65F5747698/image-dimensions/484x218?v=v2)
- Download the CSR and get a new certificate from the CA authority.
![Screenshot 2022-01-02 at 20.57.00.png Screenshot 2022-01-02 at 20.57.00.png](https://community.cisco.com/t5/image/serverpage/image-id/140435iC7F944C66CEDE79E/image-dimensions/621x306?v=v2)
- Download base 64 encoded certificate
![Screenshot 2022-01-02 at 20.59.03.png Screenshot 2022-01-02 at 20.59.03.png](https://community.cisco.com/t5/image/serverpage/image-id/140436i979206E12C342DC1/image-dimensions/491x226?v=v2)
- Upload the certificate & apply changes.
![Screenshot 2022-01-02 at 20.59.40.png Screenshot 2022-01-02 at 20.59.40.png](https://community.cisco.com/t5/image/serverpage/image-id/140437iDB19D838A97F5B4E/image-dimensions/574x273?v=v2)
- Configure ISE integration
![Screenshot 2022-01-02 at 21.02.15.png Screenshot 2022-01-02 at 21.02.15.png](https://community.cisco.com/t5/image/serverpage/image-id/140438i2F47E09396AF8A40/image-dimensions/626x466?v=v2)
![Screenshot 2022-01-02 at 21.02.53.png Screenshot 2022-01-02 at 21.02.53.png](https://community.cisco.com/t5/image/serverpage/image-id/140439iF3490E4203B90F08/image-dimensions/650x380?v=v2)
![Screenshot 2022-01-02 at 21.02.53.png Screenshot 2022-01-02 at 21.02.53.png](https://community.cisco.com/t5/image/serverpage/image-id/140441i2092FD90D19FB2D3/image-dimensions/472x276?v=v2)
Verification on ISE
![Screenshot 2022-01-02 at 21.04.14.png Screenshot 2022-01-02 at 21.04.14.png](https://community.cisco.com/t5/image/serverpage/image-id/140444iCD1D70895BBD2E07/image-dimensions/595x488?v=v2)