This document is for partners, customers, Cisco engineers who are deploying Cisco Web Security Appliance (WSA 9.0.0-324 or higher) with Cisco Identity Service Engine (ISE 1.3 or higher) and leveraging Cisco Platform Exchange Grid (pxGrid).
The readers of this document should be familiar with the WSA, TrustSec, ISE and pxGrid.
This document covers the WSA and ISE pxGrid node integration in a Certificate Authority (CA) signed environment. It is assumed that the ISE pxGrid nodes are deployed in a distributed ISE deployment as separate nodes, one being the primary and the other being the secondary.
WSA and ISE pxGrid node integration includes:
WSA private key and certificate signing request (CSR) generation using openSSL
Uploading of ISE pxGrid node and ISE monitoring node (MNT) certificates
Uploading CA root certificate into WSA trusted store
Creation of web access policies and application decryption policies denying end-users assigned an engineering security group tag from Facebook access.
It is assumed that ISE pxGrid nodes have already been configured in a distributed ISE environment using signed certificates from the same CA authority that will sign the WSA client certificates.A Security Group Tag (SGT) representing he engineering group will be created and assigned to an authorization policy allowing successfully authenticated users who belong to the Windows /Domain/Users group.
Security group tags provide an easier way to implement corporate security policies. SGT's are a convenient, flexible way to implement corporate security policies overcoming ACL and VLAN restrictions.
The following use cases are covered:
An employee SGT will be assigned to end-users belonging to the Windows /Domain/Users Group and allowed Box.com access and denied Facebook access with Netflix bandwidth restrictions
A guest SGT will be assigned to ISE internal users belonging to a Guest Identity group and allowed Facebook access and denied Box.com access.
A contractor SGT will be assigned to ISE internal users belonging to a Contractor Identity group and allowed Facebook access and denied Box access.
These guest and contractor use case will rely on ISE Central Web Authentication (CWA). The reader should have the appropriate commands on the switch to allow for this operation. These are also listed in the Appendices.
It is also assumed that the switches support RADIUS Change of Authorization (CoA) and Central Web Authentication (CWA)
i have been asked to list a switch under radius control , some switches are already added under it but im supposed to add any switches that arent , can i simply add the same command to other switches? also the key is made of numbers do i just paste the ke...
In order to use Citrix, I followed the instruction in the URL: https://answers.uillinois.edu/illinois.engineering/page.php?id=81722. I selected '3_Tunnel All' when connecting the VPN. However, the connection failed, and I can no longer acce...
I recently purchased a Cisco ASA-SSM-AIP-20-K9 AIP Security Advanced Services Module from eBay and installed it into my Cisco ASA5540 firewall. It is shown properly, using the "show inv" command. I just need help in figuring out how to install...
Hi,We have a schedule ASA (HA) 5585-X up-gradation scheduled for next week end. Current ASA version is 9.1(6)10, & we are planing to upgrade to 9.8(4) 10 version.Please let me know, if i can directly upgrade to 9.8(4)10 version from current 9.1(6)10, ...