Feb 2021 - please note this is on older pxGrid 1.0 technology. Vendors should be moving to pxGrid 2.0 and ISE 2.7 as latest recommended release.
pxGrid 1.0 will be going away and is only in maintenance mode as of ISE 3.0
This document should be archived eventually as no longer recommended
This document is for Cisco Engineers, McAfee Engineers, partners and customers deploying McAfee Data Exchange Layer (DXL) Broker 4.0., McAfee ePolicy Orchestrator (ePO 5.9) with Cisco Platform Exchange Grid (pxGrid) using Cisco Identity Services Engine (ISE 2.3).
This document illustrates the steps required to configure the use cases below. This document also includes the following use cases:
n An Eicar Virus is detected on the endpoint, McAfee ePO generates an automated response where the McAfee DXL broker triggers an ISE pxGrid Adaptive Network Control (ANC) mitigation action, quarantining the endpoint in ISE.
This is a basic use case and illustrates the integration between McAfee DXL broker and Cisco ISE pxGrid node.
n The McAfee DXL broker python client receives ISE ANC “quarantined policy” notifications through Cisco pxGrid and McAfee ePO assigns a policy tag of “quarantined” to the endpoint when a violation in the ISE ANC policy occurs. Once this endpoint has been tagged by McAfee ePO, McAfee ePO can take manual action as defied by the McAfee ePO admin.
This use case is more advanced and is optional.
n The endpoint does not have the McAfee agent installed, ISE posture will detect this, and deem the endpoint non-compliant. A remediation link will be provided to the end-user via ePO to download and install the application. Once ISE detects that the McAfee ePO is installed, the endpoint is now compliant and granted full network access.
This use case is more advanced and is optional
n An employee-owned laptop goes through the organization’s on-boarding process to satisfy the organization’s BYOD initiative. The EPO admin can then install on the endpoint centrally or manually by the by the end- user.
Hello,I found in cisco documentation that BFD is not available on OSPF, only BGP.So I use BGP protocol on my fw FTD 2130.I use FDM to configure this FTD fw. In the BGP part, I activated this line:"neighbor 126.96.36.199 fall-over bfd single-hop" When I run...
Dear All, I have a simple setup with two routers (acting as server and client), where I am trying to test flexvpn using certificates. I am getting below error IKEv2:% Received cert hash is invalid, using configured trustpoints from pr...
Hello, I have two WSA latest version and a SMA. I am trying to publish config to the appliances but it fails with errorFailure: The Anti-Malware settings must match to successfully publish. Thanks and regards, Konstantinos
Hi, Just wondered if anyone in the community has come across an issue with split-tunnelling where Anyconnect continues to tunnel traffic to an excluded destination? To be clear, the Anyconnect client clearly shows a particular /14 supernet in th...