This document is for partners, customers, Cisco engineers who are deploying Cisco Web Security Appliance (WSA 9.0.0-324 or higher) with Cisco Identity Service Engine (ISE 1.3 or higher) and leveraging Cisco Platform Exchange Grid (pxGrid).
The readers of this document should be familiar with the WSA, TrustSec, ISE and pxGrid.
This document covers the WSA and ISE pxGrid node integration in a Certificate Authority (CA) signed environment. It is assumed that the ISE pxGrid nodes are deployed in a distributed ISE deployment as separate nodes, one being the primary and the other being the secondary.
WSA and ISE pxGrid node integration includes:
WSA private key and certificate signing request (CSR) generation using openSSL
Uploading of ISE pxGrid node and ISE monitoring node (MNT) certificates
Uploading CA root certificate into WSA trusted store
Creation of web access policies and application decryption policies denying end-users assigned an engineering security group tag from Facebook access.
It is assumed that ISE pxGrid nodes have already been configured in a distributed ISE environment using signed certificates from the same CA authority that will sign the WSA client certificates.A Security Group Tag (SGT) representing he engineering group will be created and assigned to an authorization policy allowing successfully authenticated users who belong to the Windows /Domain/Users group.
Security group tags provide an easier way to implement corporate security policies. SGT's are a convenient, flexible way to implement corporate security policies overcoming ACL and VLAN restrictions.
The following use cases are covered:
An employee SGT will be assigned to end-users belonging to the Windows /Domain/Users Group and allowed Box.com access and denied Facebook access with Netflix bandwidth restrictions
A guest SGT will be assigned to ISE internal users belonging to a Guest Identity group and allowed Facebook access and denied Box.com access.
A contractor SGT will be assigned to ISE internal users belonging to a Contractor Identity group and allowed Facebook access and denied Box access.
These guest and contractor use case will rely on ISE Central Web Authentication (CWA). The reader should have the appropriate commands on the switch to allow for this operation. These are also listed in the Appendices.
It is also assumed that the switches support RADIUS Change of Authorization (CoA) and Central Web Authentication (CWA)
Hi All, Setup an anyconnect VPN client in which Users are getting Authenticated and Authorize via ISE. Where Authentication is done based on AD Users/Group, while authorization is achieved via DACL for each tunnel group. DACL is getting push suc...
Hi,We having ISE 220.127.116.117 In the "Live Logs" I see 500,000 + logs about a user called "async" that always trying to access to my Terminal Servers. I see that it comes from various devices from "Async" portsHow can I prevent it, and why doe...
Does our NGFW support the Searching Rules like the scenario below:
- Zone A <=> Zone B: 10 Access Control Policies
Can we search all the ACPs from Zone A <=> Zone B?
Highly appreciated for any quick response.
Hi, We would like to audit in detail all the network activity of an internal user in our corporate.Please, how can we get this? what are the steps to generate a heuristic audit and be able to generate the activity report in Fpower. Is this possi...
Hi Guys I'm trying to test the Chrome Smart Tunnel extension. Running ASA 9.8(4)10. Connect with Chrome, log in and then click on the "Start Smart Tunnel" button in the Application access area. Chrome reports requiring a Chrome extension but the URL ...