This document is for Cisco Engineers and customers deploying who are interested in deploying Cisco Identity Services Engine (ISE) 2.1 Internal Certificate Authority (CA) for Cisco platform Exchange Grid (pxGrid clients). This serves as a replacement for using an external CA server such as Microsoft and a customized pxGrid template for deploying to pxGrid ecosystem partners and Cisco Security Solutions.
This eases pxGrid deployment by using ISE as the CA server. Cisco Security Solutions and pxGrid ecosystem client certificates are generated and issued by the ISE certificate-provisioning portal using a built-in pxGrid template.
The pxGrid client certificate can either be in Privacy Enhanced Mail (PEM) or Public-Key Cryptography Standards (PKCS12) format pending how the solution is implemented with pxGrid. The PEM format is a base64 translation of the X509 ASN.1 keys and contains the certificate public-private key pairs of the pxGrid client, the ISE CA root certificate, the ISE EndpointSubCA, and the ISE Services node certificate. The PKCS 12 file originally defined by RSA in the Public-Key Cryptography Standards contains both the public and private key certificate pairs and is fully encrypted unlike PEM files.
pxGrid “C” client implementations will use the PEM format for their certificates. pxGrid client “Java” client implementations will use the PKCS 12 file format and convert this over to use the Java keystore, which is the “truststore” of the security solution.
This document describes the procedure for configuring the ISE certificate provisioning portal and provides use-case examples for generating and issuing the pxGrid certificates for the following pxGrid clients:
Cisco Firesight 5.4
Cisco Firepower 6.1
Splunk for ISE Add-on 2.20 (can be used for other security solutions using java keystores)
Hello!I have ASA with FirePOWER (no AMP and URL). And have many (over 10) zones.yesterday my SIP server sometimes loss registration and vice also have poor quality.I try to PING 188.8.131.52 and get floating delay from 25 to 500! ms.i exclude sip server ...
Hello We are planning the migration of an ASA5540 to a Firepower 2110.The new implementation will use AnyConnect for remote access and ISE will be used as RADIUS server.The module NAM in anyconnect is compatible with Firepower versión 6.2.x? Accordin...
I'm using an ACL to limit access for one of my anyconnect users. The ACL does it's job and restricts the user from being able to connect to anything but the permitted IPs. However, once the user connects to a permitted server, they can then ssh to other s...
Hi Everyone, I would like to know if any of you have experience on deploying FTD or ASA in Google Cloud Platform or eventually what is Cisco's offer in terms of Firewall in cloud infrastructure. In case I would appreciate any suggestion on the d...
hello everyone, Would anyone be able to offer some info on how to do this, so that we can enforce users to use the Cisco AnyConnect VPN client instead using the built-in Mac IPSec VPN option to VPN in. Any info would greatly be appreciated, tha...