There are issues utilizing the pubsub web socket models of pxGrid around profiling and updating of endpoint custom attributes. We are working in ISE 3.1p5 (late this year) to have a bulk create using Open API. patch 6 will add update/delete and download capabilities (early 2023)
Sharing SGT SXP Binding information via pxGrid
In general subscribing to the session directory will give you the dynamic ip to tag bindings of user and iOT endpoints over wired, wireless and VPN. What it won't provide is the static mappings added under Work Centers > Trustsec > Components > IP SGT Static Mapping
In the pxgrid-server.log you should see the adding the subscription if they are subscribing to correct topic. cpm.pxgridwebapp.ws.pubsub.SubscriptionThreadedDistributor -:::::- adding subscription to [2bae,testcli,OPEN]:/topic/com.cisco.ise.sxp.binding
Try adding removing an SXP binding and then checking the logs.
What are scaling considerings?
pxGrid v2 (WebSocket) does not use much CPU as it is simply forwarding the published messages to subscribers. On the other hand, pxGrid v1 (XMPP) uses a bit more CPU in XML processing. Every subscriber adds XML processing.
The bottom line is that if the subscribers are mainly pxGrid v2, then it can run on any node.
If subscribers are still pxGrid v1, then we may need to consider decidated node.
Can you have a single account for consumer and provider (for both pushing and pulling devices information)?
Yes. Single account can be both consumer and provider
Does using the pxGrid API expose us to the same functionality that we can use in ISE ERS, and vice versa? Is it possible to subscribe to a topic via ERS, without pxGrid?
ERS and pxGrid APIs are different sets of APIs. Most APIs functionality do not overlap.ISE ERS is used for CRUD operations against ISE (example manipulating objects) for your purposes pxGrid should always be used No. Subscription is a pubsub concept that is provided only via pxGrid WebSocket connection
We are working towards enabling Open API in ISE 3.1 patches 5 (bulk create) and patch 6 (bulk update/delete/download)
Is the best way to push device information through Endpoint Asset service as a pxGrid provider?
Endpoint Asset service is being consumed by Profiler feature. Yes, an external client can act as a Endpoint Asset provider. Initial load should be through pxGrid context-in and updates through ERS API with current design
Is it possible to connect through pxGrid without a certificate (user/pass only)?
It is allowed but not recommended, certs are more secure.
In my setup I see pending approvals under Web clients but also All Client?
In pxGrid 1.0, we have “Dynamic capabilities”. Those have to be approved too. So the difference is one for client approval and the other for capabilities approval. For example you might have had pxGrid 2.0 clients automatically approved but a pxGrid 1.0 client need manual approval for is capabilities.
All Clients shows every connection. Web Clients is for Web Sockets (pxGrid 2.0 support). In ISE 3.0+ You will see separation and ISE 3.1 pxGrid 1.0 will be completely removed
Under WebSockets I see the client as offline, what does this mean?
This means the client is connected but nothing has been communicated in a while. After 5 minutes of no activity a client will change from Active to Offline
You would connect to 1 node but still allow the admin to enter up to 4 nodes for redundancy
What is needed for communication from pxGrid client to ISE pxGrid controller?
when generating a pxGrid client cert on ISE (under pxGrid) it will give a client cert (use FQDN and IP address in SAN). The package also included the full certificate chain. The client box will present its certificate to ISE which trusts it (without the chain). The client will need to have the certificate chain, node, sub and root given in the zip or pkcs12 file
What's the guidance on using REST API vs pxGrid to do ANC?
Recommendation is to use pxGrid ANC for scaling purposes. We are also trying not to use ERS API because each endpoint update generates a call.
There are currently many ways to configure ANC. UI, ERS API, pxGrid v1 API (XMPP being deprecated in ISE 3.1) and pxGrid v2 API (REST)
ANC requires session lookup that is only available in MnT nodes.
Here are where things happen:
UI and ERS API are handled on PPAN
ANC pxGrid code in MnT nodes registers the ANC capability (for XMPP) and ANC service (for REST/WS)
pxGrid XMPP API is routed by XMPP server to MnT nodes.
pxGrid REST API is handled on both MnT nodes. Clients do service lookup for ANC service to find the URLs.
Session lookup is remote calls to MnTs (call one MnT. If fails, call the other MnT)
Radius Disconnect handled by NA’s PrRT module on local ISE and being routed to the corresponding PSN
State is stored to PPAN and replicated to other ISE
Thus, configuration on partners will be:
For ERS API, the IP of PPAN
For pxGrid API, the IPs of pxGrid nodes
My pxGrid Client was working before but its not after I am using a new cert?
When you setup a pxGrid client and it associates with a client cert it is then bonded. If you create a new cert you will need to delete the pxGrid client session on ISE and create a new one (through the vendor client connection screen and cert negotiation) with the new certificate
You would see an error msg like the one below in pxgrid-server.log