Showing results for 
Search instead for 
Did you mean: 

How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid


This document is for partners, customers, Cisco engineers who are deploying Cisco Web Security Appliance (WSA 9.0.0-324 or higher) with Cisco Identity Service Engine (ISE 1.3 or higher) and leveraging Cisco Platform Exchange Grid (pxGrid).

The readers of this document should be familiar with the WSA, TrustSec, ISE and pxGrid.

This document covers the WSA and ISE pxGrid node integration in a Certificate Authority (CA) signed environment. It is assumed that the ISE pxGrid nodes are deployed in a distributed ISE deployment as separate nodes, one being the primary and the other being the secondary.

WSA and ISE pxGrid node integration includes:
  • WSA private key and certificate signing request (CSR) generation using openSSL
  • Uploading of ISE pxGrid node and ISE monitoring node (MNT) certificates
  • Uploading CA root certificate into WSA trusted store
  • Creation of web access policies and application decryption policies denying end-users assigned an engineering security group tag from Facebook access.

It is assumed that ISE pxGrid nodes have already been configured in a distributed ISE environment using signed certificates from the same CA authority that will sign the WSA client certificates.A Security Group Tag (SGT) representing he engineering group will be created and assigned to an authorization policy allowing successfully authenticated users who belong to the Windows /Domain/Users group.

Security group tags provide an easier way to implement corporate security policies. SGT's are a convenient, flexible way to implement corporate security policies overcoming ACL and VLAN restrictions.

The following use cases are covered:

  • An employee SGT will be assigned to end-users belonging to the Windows /Domain/Users Group and allowed access and denied Facebook access with Netflix bandwidth restrictions
  • A guest SGT will be assigned to ISE internal users belonging to a Guest Identity group and allowed Facebook access and denied access.
  • A contractor SGT will be assigned to ISE internal users belonging to a Contractor Identity group and allowed Facebook access and denied Box access.

    These guest and contractor use case will rely on ISE Central Web Authentication (CWA). The reader should have the appropriate commands on the switch to allow for this operation. These are also listed in the Appendices.

    It is also assumed that the switches support RADIUS Change of Authorization (CoA) and Central Web Authentication (CWA)



I am currently researching about this topic. As far as i understand once you complete the pxgrid communication, you prepare authorization rules like "pxGrid_Users:ExternalGroups: EQUALS Users then Engineering and Permit Access" i found this on a 1.4 document.

I wonder if in ISE 2.1 this has changed and we make this AD / ISE group mapping somewhere else?

It kind of feels strange to write down authorization rules (because for me its just for AD group - network policy assignment.)

Hope i made myself clear.

Kind regards


Cisco Employee

Hi Sadik,

The authorization rules are dependent on the ISE Externl identity store.  You can have LDAP if you want.  The idea here is to tag the user with a Security Group Tag like Employee.

Once you have an employee tag, you can use this in a WSA web security policy.




Hi Jeppich,

Sorry for a very very late reply.

What i meant is, i do not want to re-organize my authorization policies on ISE.

But consider this scenario.

For IT users, i would like to have 3 SGT but put them into same vlan.

Right now i have only one Authorization policy, which results with a vlan specified.
I do not want to change this one rule to 3 rules, each have different SGT but same vlan as auth result.

Is it achievable, or you kind of need a matrix according to SGT and VLAN , and of course that many authorization rules.

Kind regards


Cisco Employee

Hello ISE Champions!

For the use case described in this article, please confirm my understanding that only a base session license is required for the integration because ISE is being integrated with another Cisco product (WSA): am I correct?


thanks much,

David D.

Cisco Employee

Hey David,


You will also require a plus license for each base license you have for pxGrid operation.