10-27-2020 01:04 PM - edited 09-15-2022 12:46 PM
Shortcut: http://cs.co/pxgrid-faq
This is a general site for all thing pxGrid. Resources, demos, FAQs.
June 2022
pxGrid 1.0 is not supported after ISE 3.0. Its recommended for all vendors, app builders, etc to move to pxGrid 2.0 that has been available in ISE 2.4+ for many years now.
ISE pxGrid Vendor Integration notes - general information for the client vendor to integrate
ISE pxGrid API help by viktor brobov, Cisco
ISE pxGrid Cloud - since ISE 3.1 patch 3
pxGrid how to guide - see cs.co/ise-guides
Listed at cs.co/selling-ise-demos- Cisco/Partners only
There are issues utilizing the pubsub web socket models of pxGrid around profiling and updating of endpoint custom attributes. We are working in ISE 3.1p5 (late this year) to have a bulk create using Open API. patch 6 will add update/delete and download capabilities (early 2023)
In general subscribing to the session directory will give you the dynamic ip to tag bindings of user and iOT endpoints over wired, wireless and VPN. What it won't provide is the static mappings added under Work Centers > Trustsec > Components > IP SGT Static Mapping
Github sxp.binding and Session Directory
Here is coding on how to integrate the two
https://developer.cisco.com/codeexchange/github/repo/cisco-pxgrid/python-advanced-examples
In order to share this and subscribe, the pxGrid client will need to subscribe to sxp.bindings
The following 2 check boxes under SXP settings need to be enabled
You will see a subscription to the session directly and the sxp.binding for your test client
Enable a dummy SXP device
work centers -> Trustsec -> sxp -> sxp devices
pxGrid v2 (WebSocket) does not use much CPU as it is simply forwarding the published messages to subscribers. On the other hand, pxGrid v1 (XMPP) uses a bit more CPU in XML processing. Every subscriber adds XML processing.
The bottom line is that if the subscribers are mainly pxGrid v2, then it can run on any node.
If subscribers are still pxGrid v1, then we may need to consider decidated node.
Yes. Single account can be both consumer and provider
We are working towards enabling Open API in ISE 3.1 patches 5 (bulk create) and patch 6 (bulk update/delete/download)
Endpoint Asset service is being consumed by Profiler feature. Yes, an external client can act as a Endpoint Asset provider. Initial load should be through pxGrid context-in and updates through ERS API with current design
It is allowed but not recommended, certs are more secure.
In pxGrid 1.0, we have “Dynamic capabilities”. Those have to be approved too. So the difference is one for client approval and the other for capabilities approval. For example you might have had pxGrid 2.0 clients automatically approved but a pxGrid 1.0 client need manual approval for is capabilities.
All Clients shows every connection. Web Clients is for Web Sockets (pxGrid 2.0 support). In ISE 3.0+ You will see separation and ISE 3.1 pxGrid 1.0 will be completely removed
This means the client is connected but nothing has been communicated in a while. After 5 minutes of no activity a client will change from Active to Offline
Troubleshoot and Enable Debugs on ISE
The support bundle can be found under Operations > Troubleshoot > Download Logs > [select the node on which the issue was reproduced/seen].
curl -k -v https://<hostname>:8910/pxgrid/control/version
From a client standpoint, active/active means it can connect to any of the available ISE pxGrid nodes.
pxGrid 2.0 supports more than 2 ISE nodes. It can support as many as ISE nodes there are. The recommendation would be to have 2 at minimum but possible a 3rd (tertiary as well).
The purpose of this is to distribute the subscribers in order to distribute network load. So your app would connect to 1 node but have backups if those were offline or failed.
This is the pubsub service the each pxGrid node provide: https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki/Pubsub
when looking up this service, a list of available nodes will be returned.
https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki/Session-Directory#multiple-nodes-use-one
You would connect to 1 node but still allow the admin to enter up to 4 nodes for redundancy
when generating a pxGrid client cert on ISE (under pxGrid) it will give a client cert (use FQDN and IP address in SAN). The package also included the full certificate chain. The client box will present its certificate to ISE which trusts it (without the chain). The client will need to have the certificate chain, node, sub and root given in the zip or pkcs12 file
Recommendation is to use pxGrid ANC for scaling purposes. We are also trying not to use ERS API because each endpoint update generates a call.
There are currently many ways to configure ANC. UI, ERS API, pxGrid v1 API (XMPP being deprecated in ISE 3.1) and pxGrid v2 API (REST)
ANC requires session lookup that is only available in MnT nodes.
Here are where things happen:
Thus, configuration on partners will be:
When you setup a pxGrid client and it associates with a client cert it is then bonded. If you create a new cert you will need to delete the pxGrid client session on ISE and create a new one (through the vendor client connection screen and cert negotiation) with the new certificate
You would see an error msg like the one below in pxgrid-server.log
2021-11-19 06:59:25,038 WARN [Thread-56004][] cisco.cpm.pxgridwebapp.config.MyX509Filter -:::::- Mismatched X509 fingerprint user=test123 dn=CN=test123 fingerprint=WePVk1Fv0JDlSQaNGKCVPp92Iww= stored_fingerprintZBvXQNLZX8GX9BpaG4Io6SY5qz0= request_source=[IP Address: 10.21.127.40, port: 57537, hostname: 10.21.127.40] request_dest=[IP Address: 172.23.166.161, port: 8910, hostname: pxgrid-161]
It supports the endpoint and network devices with IPv6 addresses. Currently it doesn't support integrations via IPv6
CSCwb87184 - ENH: Distinguish username from Machine name in PGRID
My FMC version is 7+ , how should i be able to confirm it will support pxgrid 2.0 when I move my ISE to 3.1 ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: