Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1070
Views
1
Helpful
1
Comments

Integrate Cisco ISE with Cylera

yauda
Level 1
Level 1

on ‎07-21-2025 07:45 AM

Introduction

This document shows you how to Integrate Cisco ISE with Cylera

What is Cylera?

Cylera is SaaS platform which provide provides the easiest, most accurate and extensible, platform for healthcare IoT intelligence and security to optimize care delivery, service availability, and cyber defenses across diverse connected medical device and infrastructure.

The platform accurately discovers, categorizes, assesses, and monitors known and unknown healthcare IoT and connected medical devices with high fidelity. Cybersecurity and biomedical engineering professionals gain unparalleled asset inventory visibility, usage telemetry, threat prioritization, analytics, and guided remediation. The solution, in combination with its rapid implementation and integrations with popular IT and biomedical applications, enables organizations to advance their cybersecurity program maturity, increase operational efficiency, mitigate risk, and enable compliance audit-readiness.

Why Integrate Cisco ISE with Cylera?

Cylera provide variety list of benefits including

  • Connected Medical Device Inventory

Continuous visibility: Identify, classify, and monitor healthcare IoT and connected medical devices in real-time.

Deep healthcare IoT device intelligence: Capture make, model, OS, vendor, network services, SBoM attributes, and more.

Network traffic inspection and assessment: Analyze granular flow and communication attributes.

Known and unknown device identification: Auto-categorize and assess without requiring retooling.

  • Risk Profiling and Prioritized Threat Mitigation

Passive, real-time detection: Identify vulnerabilities and indicators of compromise (IOCs) affecting healthcare IoT devices.

Dynamic risk profiling: Pinpoint actual attack surface risk and potential service impact.

Efficient mitigation: Prioritize threats with risk scores and remediate faster with detailed triage context and prescriptive remediation guidance.

Zero trust support: Segmentation policy generation and zone monitoring through integrations with fireall, network access control (NAC), and microsegmentation tools.

  • Enhanced IoT Asset Intelligence

Rich analytics: Obtain insights with interactive dashboards, filters, and reports.

Compliance audit-readiness: Utilize reports and data export of inventory, event logs, exposures, and resolution.

Data sharing: Integrate with popular network, security, asset, vulnerability and risk management, and service management systems.

Healthcare IoT optimization: Collect usage telemetry to enable optimization and cost savings.

 

Background Information

Cylera Appliance

yauda_0-1753095527836.png

yauda_1-1753095557309.png

Each site in your organization should have a dedicated Cylera Appliance that collects device information via SPAN, typically configured on the distribution switch. This data is then sent to the Cylera cloud application, which can be accessed from anywhere. Additionally, the Cylera Appliance will be integrated with Cisco ISE through pxGrid.
https://cylera.com/platform/how-cylera-works/

Prerequisites

Knowledge of Cisco ISE Network Access , Cisco pxGrid , REST API and Cylera architecture.

Components Used

  • ISEv3.2 Patch 7
  • Cylera

In this document, we assume that your organization has four sites, each equipped with one Cylera Appliance (sensor). You only need to integrate ISE PAN1 (which has pxGrid persona enabled) with one of these four sensors. This sensor will act as a proxy, enabling the connection between ISE and the Cylera cloud application. The integration will be established via pxGrid. Afterwards, the Cylera cloud application will use REST APIs to synchronize and push information to ISE. For this process, Cylera requires an internal ISE user account with membership in both the Identity Admin and ERS Admin groups.

yauda_2-1753095612100.png

 

yauda_4-1753095633434.png

 

Prerequisites ISE configuration

Step 1 Enable pxGrid persona on your PAN1 node

Select Administration → System → Deployment , Edit the ISE node and go to “General Settings”

yauda_5-1753095657426.png

 

Step 2 Enable Profiling  Custom Attribute Enforcement

Select Administration → System → Settings → Profiling , Enable custom attribute enforcement

yauda_6-1753095668575.png

 

Step 3 Enable pxGrid Profiling  for each PSN node

Select Administration → System → Deployment , Edit the ISE node and go to “Profiling Configuration” , Enable pxGrid under Profiling Configuration

yauda_7-1753095677600.png

 

Step 4 Enable REST API

Select Administration → System → Settings → API Settings ,Click on “API Service Settings” ,Enable ERS (Read/Write)

yauda_8-1753095685492.png

 

Step 5 Create ISE user account for Cylera

Go to Administration → System → Admin Access b. On the left navigation bar select Administrators → Admin Users c. Click “Add”

Add the following Admin Groups to the User : Identity Admin and ERS Admin

yauda_9-1753095696705.png

Step 6 Create pxgrid certificate and DNS record for Clyera appliance 

You will need to generate a pxGrid certificate for your Cylera sensor, ensuring that the certificate's Common Name (CN) is resolvable by your DNS server. The certificate can be issued either by your Enterprise CA or by the ISE CA, which can be accessed under the Certificate section in Client Management. In both cases, you must upload the certificate, the CA certificate (including the full chain of trust), and the private key to the Cylera sensor.
Below example if you will use ISE as CA

yauda_10-1753095716052.png

 

yauda_12-1753095740188.png

 

Below example for the files you will need to upload to Cylera in the end

yauda_13-1753095751082.png

 

Remember from ISE pxGrid settings , you will need to approve the certificate or choose automatically to approve it.

yauda_14-1753095762874.png

 

Step 7 Create pxGrid Group for Cylera

Navigate to Administration → pxGrid Services → Client Management , Select Groups on the left hand side and create a new group with the name “Cylera”

yauda_15-1753095772319.png

 

Step 8 Create pxGrid Policy for Cylera

The Policy page is where we can see the services/policies available to pxGrid clients. We may also create new policies here as well.

Used to assign service to the group

The default operations are as follows:

  • <ANY>
  • publish /topic/com.cisco.ise.session – This publishes session information
  • publish /topic/com.cisco.ise.identity.group – Allows the pxGrid client to subscribe to the ISE-published identity topics and receive notifications.
  • publish /topic/com.cisco.ise.anc – Allows the pxGrid client to retrieve all ANC policies and associated actions

 

Navigate to Policy on the left hand side and create the following Service:

  • Service: com.cisco.ise.pubsub
  • Operation: Custom Operation: publish /topic/com.cisco.endpoint.asset
  • Groups: Cylera

Select the cylera-appliance pxGrid client and then select “Edit”

Add the Cylera client group to the pxGrid client and select “Save

yauda_16-1753095783932.png

 

Step 9 Create the cylera custom attributes

Navigate to Administration —> Identity Management —> Settings , On the left hand side, select “Endpoint Custom Attributes” ,Create the following attributes with their respective types

  • cyleraGroup - String
  • cyleraDeviceClass - String 
  • cyleraDeviceModel - String
  • cyleraDeviceVendor - String
  • cyleraDeviceType - String
  • cyleraDeviceOs - String

Save the custom attributes

yauda_17-1753095790953.png

 

Integrate ISE with Cylera

In Cylera cloud app , Go to “Integration” , click “Create New Integration” then click “Configure Integration”

yauda_18-1753095807989.png
yauda_19-1753095832103.png

yauda_20-1753095839763.png

 

 


Syncing Policies from Cylera to Cisco ISE

dACL Policies

If the synced policy is a dACL policy, navigate in the ISE GUI to Policy → Policy Elements → Results. Then, on the left-hand menu, go to Authorization → Downloadable ACLs. You will find the ACL rules for the synced policy listed here, identified by the prefix "cylera" followed by the group name.

Next, navigate to Authorization → Authorization Profiles. You will see a corresponding authorization profile, also prefixed with "cylera" and the group name, which is associated with its respective downloadable ACL.

 

TrustSec Policies

If the synced policy is a TrustSec policy, go to the ISE GUI and navigate to Work Centers → TrustSec → TrustSec Policy. On the left-hand side, click on Matrix to view the TrustSec matrix, which displays allowed traffic flows from source to destination.

To sync policies from Cylera to Cisco ISE, log in to the Cylera Dashboard and go to Network → Policies. Create a new policy by either generating rules based on traffic data or defining custom rules manually. Make sure the policy is set to Enforcement mode—this enables the Sync NAC button. Once the rules are configured, click Save, then click Sync NAC. This will queue the sync action for the configured NAC integration.

The sync process may take 5 to 15 minutes, depending on the number of devices associated with the group. During this time, a notification will appear on the Cylera Dashboard indicating that the integration is in progress, followed by another notification once the sync is complete.

After the sync is finished, navigate to the Cisco ISE GUI to verify the integration.

 

Actions

Push Device Attributes Frequency

Runs Daily Can also be invoked from the integration detail page Due to limitation of the pxGrid Context-In probe the limit of devices getting updated is 25 devices per second. For example, a client who has 10,000 devices they would like to sync over would take about 7 minutes. Syncs over the type, vendor, operating system, model, and class a device into the custom attributes for the device Can be configured from the Configure Integration modal to only send specific classes. If none are selected in the modal then NO device attributes will be synced over.

Push Policies Frequency

Ad-Hoc, determined by user Can be invoked from both the integration detail page and the policy detail page Invocation from the integration detail page will push ALL policies that are in ENFORCEMENT mode to the NAC Invocation from the poilcy detail page will only push the policy that is detailed on the page Can push over dACL and Trustsec types of policies and this is configured on the Configure Integration modal

Push Profiles Frequency

Ad-Hoc, determined by user Can only be invoked from integration detail page Invocation from the integration detail page will push device attributes for all device profiles that are in ENFORCEMENT mode to the NAC. This action gives the user more granularity into pushing attributes only for devices they are interested in creating an policy rule for.


Verification

yauda_21-1753096003450.png
yauda_22-1753096038027.png
yauda_24-1753096069622.png
yauda_25-1753096098335.png

 


 

 

 

Comments
joe19366
Level 1
Level 1
‎07-21-2025 02:15 PM

Great write up!

thank you!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents