This document is for partners, customers, Cisco engineers who are deploying Cisco Web Security Appliance (WSA 9.0.0-324 or higher) with Cisco Identity Service Engine (ISE 1.3 or higher) and leveraging Cisco Platform Exchange Grid (pxGrid).
The readers of this document should be familiar with the WSA, TrustSec, ISE and pxGrid.
This document covers the WSA and ISE pxGrid node integration in a Certificate Authority (CA) signed environment. It is assumed that the ISE pxGrid nodes are deployed in a distributed ISE deployment as separate nodes, one being the primary and the other being the secondary.
WSA and ISE pxGrid node integration includes:
WSA private key and certificate signing request (CSR) generation using openSSL
Uploading of ISE pxGrid node and ISE monitoring node (MNT) certificates
Uploading CA root certificate into WSA trusted store
Creation of web access policies and application decryption policies denying end-users assigned an engineering security group tag from Facebook access.
It is assumed that ISE pxGrid nodes have already been configured in a distributed ISE environment using signed certificates from the same CA authority that will sign the WSA client certificates.A Security Group Tag (SGT) representing he engineering group will be created and assigned to an authorization policy allowing successfully authenticated users who belong to the Windows /Domain/Users group.
Security group tags provide an easier way to implement corporate security policies. SGT's are a convenient, flexible way to implement corporate security policies overcoming ACL and VLAN restrictions.
The following use cases are covered:
An employee SGT will be assigned to end-users belonging to the Windows /Domain/Users Group and allowed Box.com access and denied Facebook access with Netflix bandwidth restrictions
A guest SGT will be assigned to ISE internal users belonging to a Guest Identity group and allowed Facebook access and denied Box.com access.
A contractor SGT will be assigned to ISE internal users belonging to a Contractor Identity group and allowed Facebook access and denied Box access.
These guest and contractor use case will rely on ISE Central Web Authentication (CWA). The reader should have the appropriate commands on the switch to allow for this operation. These are also listed in the Appendices.
It is also assumed that the switches support RADIUS Change of Authorization (CoA) and Central Web Authentication (CWA)
I have a firepower 1010 I am trying to configure for a customer. It is going in place of a router that is there now. internal ip for example on firepower is 192.168.1.10 and this is the default gateway for all computers then we have another ro...
due to a recent security vulnerability found, we are pushing our ISE deployment v2.4 to v2.6 patch 2 I was hoping to get some input on others experiences on this upgrade process. Im hoping there are some others out there with similar deployment types...
would like feedback for support of catalyst 9200-L with a stable ISE 2.0 deployment at a customer. I can see it under 2.4 but customer wants to confirm that it will be supported with 2.0.
Hello Folks, This is regarding anyconnect VPN issue.One of the user has reported like when he works from home ,VPN is frequently disconnecting (twice in 30 minutes). Now I've few questions: In order to troubleshoot I tried to download the D...
It happens couple times that after I forgot to stop a real-time packet capture, I could not enter into Lina CLI. Going to expert mode is OK. I am thinking if there is a way to kill the process under expert mode. I am pretty sure that the capture is causin...