This document is for partners, customers, Cisco engineers who are deploying Cisco Web Security Appliance (WSA 9.0.0-324 or higher) with Cisco Identity Service Engine (ISE 1.3 or higher) and leveraging Cisco Platform Exchange Grid (pxGrid).
The readers of this document should be familiar with the WSA, TrustSec, ISE and pxGrid.
This document covers the WSA and ISE pxGrid node integration in a Certificate Authority (CA) signed environment. It is assumed that the ISE pxGrid nodes are deployed in a distributed ISE deployment as separate nodes, one being the primary and the other being the secondary.
WSA and ISE pxGrid node integration includes:
WSA private key and certificate signing request (CSR) generation using openSSL
Uploading of ISE pxGrid node and ISE monitoring node (MNT) certificates
Uploading CA root certificate into WSA trusted store
Creation of web access policies and application decryption policies denying end-users assigned an engineering security group tag from Facebook access.
It is assumed that ISE pxGrid nodes have already been configured in a distributed ISE environment using signed certificates from the same CA authority that will sign the WSA client certificates.A Security Group Tag (SGT) representing he engineering group will be created and assigned to an authorization policy allowing successfully authenticated users who belong to the Windows /Domain/Users group.
Security group tags provide an easier way to implement corporate security policies. SGT's are a convenient, flexible way to implement corporate security policies overcoming ACL and VLAN restrictions.
The following use cases are covered:
An employee SGT will be assigned to end-users belonging to the Windows /Domain/Users Group and allowed Box.com access and denied Facebook access with Netflix bandwidth restrictions
A guest SGT will be assigned to ISE internal users belonging to a Guest Identity group and allowed Facebook access and denied Box.com access.
A contractor SGT will be assigned to ISE internal users belonging to a Contractor Identity group and allowed Facebook access and denied Box access.
These guest and contractor use case will rely on ISE Central Web Authentication (CWA). The reader should have the appropriate commands on the switch to allow for this operation. These are also listed in the Appendices.
It is also assumed that the switches support RADIUS Change of Authorization (CoA) and Central Web Authentication (CWA)
HelloI currently am trying to host a local ip 10.x.x.x but intend to point it to a public IP 41.x.x.x. The Global DNS has been done I have attempted to do this via natting the network object which didn't workAlso I tried natting on the interfaces but...
Hi, I already implemented with success the Pxgrid using ISE anda FMC, and Self-registration on ISE and WLC, all is working.But on the FMC events , the "intiator user" dont show the guest user createad on ISE, is it possible to show the guest user?&nb...
Hi all, On an ASA 5505, is there a way to limit the bandwidth per user unless there is little activity, which would then allow the user more bandwidth. For instance, if I have a 100mb internet link, and give all connections a guaranteed 10mb, co...