The Portuguese version of this Article can be found at: ISE - O que precisamos saber sobre pxGrid .

 

For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like.

 

Introduction

ISE originally started sharing information through the use of APIs, but scalability was always a challenge, so pxGrid (Platform Exchange Grid) was born.

pxGrid was initially added to ISE 1.3 in 2015 and is Cisco's premier Publish / Subscribe (Pub / Sub) communication bus, designed to be a secure and scalable Data Sharing System.

In the Pub / Sub Model, a Device can act as a "Publisher" to share information about a specific Topic, and other Devices can "Subscribe" to receive updates about these Topics. ISE acts as a Central Controller for pxGrid, managing Discovery, Authentication, and Authorization of participating Devices.

 

pxGrid Topics refer to specific categories of information that can be shared between different Network Devices and Security Platforms through the pxGrid framework, allowing Contextual Data such as User Identity, Endpoint Details and Network Policies to be exchanged.

 

pxGrid is an ISE Persona that: in a Large Deployment supports up to 4x Dedicated pxGrid in ISE 2.4+ (only 2x pxGrid in previous versions) in a Medium Deployment supports up to 2x pxGrid.   It is not recommended to enable pxGrid Service on an ISELite (Node with Extra Small specification, available only on VM and Cloud platforms, not supported on SNS Appliances, and supported on ISE 3.4+) !!!

 

License

pxGrid requires at least an Advantage License.

 

Why pxGrid ?

One-to-One API Integrations are very limited in a World where dozens of technologies need to share data.

It is likely that you are using multiple Security Products for different purposes and they do not work together.

Some of these purposes may be:

• Identify Devices and Users
• Detect Vulnerabilities
• Detect Malware
• Monitor Behavior
• Protect Endpoints
• Ensure Compliance
• Know and Show your Security Posture
• Physically Identify / Locate Things (IoT).

If it were possible to share data between your various Security Products, you would have a more efficient Operation... pxGrid is the answer!!!

pxGrid provides a single Interface to integrate virtually all of your Security Products so they can Share Data with any other Product in pxGrid.

In short, pxGrid provides integration with Cisco Security Technical Alliance Partners.

 

Cisco Security Technical Alliance Partners

Cisco Security Technical Alliance Partners are Companies whose Security Solutions can be integrated with Cisco ISE through APIs.

Cisco Security Technical Alliance Partners has over 400 Partners and 825 Integrations and provides an environment for Security Vendors to integrate with various Cisco APIs and SDKs (such as Firepower eStreamer, pxGrid, REST, etc.) across the Cisco Security portfolio.

 

To view the Official List of all Cisco Security Technical Alliance Partners, visit Cisco Security Technology Alliance (CSTA). To view how to integrate Cisco ISE with select Cisco Security Partners, visit ISE - Third-Party Ecosystem Partners.

 

pxGrid

pxGrid v1.0

pxGrid v1.0 was introduced in ISE 1.3 and is based on XMPP, requiring an SDK (Software Development Kit) containing Java & C libraries, and Sample Code.

 

ISE 3.0 is the last version to support pxGrid v1.0 with End of Support set for July 13th, 2025. pxGrid v1.0 Nodes operate in a High Availability Active / Standby configuration.

 

pxGrid v2.0

pxGrid v2.0 foi oficialmente suportado no ISE 2.4 (introduzido no ISE 2.3) e é baseado em WebSockets e REST API over STOMP 1.2 (Simple Text Oriented Message Protocol), sem dependência de SDK.

pxGrid v2.0 was officially supported in ISE 2.4 (introduced in ISE 2.3) and is based on WebSockets and REST API over STOMP 1.2 (Simple Text Oriented Message Protocol), with no SDK dependency.

 

In ISE 3.1+, all pxGrid connections must be based on pxGrid v2.0. pxGrid v2.0 Nodes operate in a High Availability Active / Active configuration.

 

pxGrid v1.0 vs pxGrid v2.0

 

 

Performance:  pxGrid v1.0: 5,000 KB/s pxGrid v2.0: 100,000 KB/s

 

pxGrid v2.0 (WebSockets) does not use much CPU, as it is simply forwarding Published Messages to Subscribers. On the other hand, pxGrid v1.0 (XMPP) uses a bit more CPU in XML processing, as each Subscriber adds XML processing.

If the Subscribers are primarily pxGrid v2.0 then it can run on any Node, if pxGrid v1.0 then it should be considered a Dedicated Node.

 

pxGrid Features

ISE Version vs Features / Improvements table:

 

Dynamic Topics

Dynamic Topics is a feature of ISE 2.0+ that allows Partners to create their own Topics in pxGrid for all pxGrid-enabled Partners to consume information from.

This enables a true bidirectional Multi-Vendor Contextual Sharing framework, allowing Customers with multiple Vendors to benefit from these integrations.

pxGrid provides an API that opens up a unified framework allowing you to integrate with pxGrid once and share the Context with any other Platform that supports pxGrid, as a Hub & Spoke Architecture.

 

Features:

• Context Sharing Control: pxGrid is customizable, you can "Publish" only the specific information (Context) you want to share, and you can control which other pxGrid Partner Platforms it is shared with.
• Bidirectional Context Sharing: pxGrid enables Partner Platforms like yours and others to Publish Context or Subscribe Context; you orchestrate and secure what is Published and Subscribed through the pxGrid Controller that resides on Cisco ISE.
• Share Context Data in Native Formats: you share Contextual Information in pxGrid using your Platform's native data format, pxGrid does the rest.
• Connect to Multiple Platforms Simultaneously: pxGrid allows you to Publish only the Context Data that is relevant to pxGrid Partner Subscribers. You can customize multiple Context “Topics” for a variety of Partner Platforms, but they are always shared through the same reusable pxGrid framework.

 

pxGrid Context-In

pxGrid Context-In is a feature in ISE 2.4+ that allows Security Partners to Publish Topic information to Cisco ISE, allowing Cisco ISE to take action based on the identified asset.

 

pxGrid Loss Detection

pxGrid Loss Detection is a feature of ISE 3.0+, enabled by default, where IDs were added to pxGrid Topics.

If there is a break in transmission, the Subscriber can recognize the gap in the ID sequence and request data based on the last sequence number.

If the Publisher goes down, when it comes back up, the Topics sequence will start at 0. When the Subscriber receives the sequence 0, its Cache is cleared and a Bulk Download is initiated.

If the Subscriber goes down, the Publisher will continue assigning IDs. When the Subscriber reconnects and recognizes the gap in the ID sequence, it will be prompted for data on the time of the last sequence number.

 

pxGrid Loss Detection works with Session Directory and TrustSec Configuration.

 

API Gateway

API Gateway is a feature of ISE 3.0+ and has been improved in ISE 3.1+:

 

pxGrid Cloud

pxGrid Cloud is a feature of ISE 3.1 P3+ that was introduced in May/2022 and that allows you to share Contextual Information between On-prem Applications and Cloud-based Solutions without compromising the security of your Network.

 

For more information: Cisco pxGrid Cloud Solution Guide.

 

pxGrid Direct

pxGrid Direct is a feature of ISE 3.2+ that facilitates Real-Time Data Sharing within an On-Prem Network, helping to connect to External REST APIs that provide JSON Data for Endpoint Attributes.

pxGrid Direct stores collected data in the Cisco ISE Database that can be used in Authorization Policies, helping to evaluate and authorize Endpoints more quickly.

I would like to draw your attention to the tremendous difference in performance between ISE 3.2 P2 / ISE 3.3 vs ISE 3.4 (in Performance and Scalability Guide for Cisco Identity Services Engine, search for Cisco ISE pxGrid Direct Scaling) . 

 

pxGrid Filtering

pxGrid Filtering is a feature of ISE 3.4+ that supports Filtering of Information based on specific Client requirements. Prior to ISE 3.4, pxGrid published all information it received from Publishers to Clients. The pxGrid Filtering feature allows Clients to receive only relevant information from the Publisher on a per-Subscription basis. Filtering of Information is achieved using the Filtering API on the pxGrid Server.

 

API on Cisco ISE

Enable API

 

ERS APIs and Open APIs are HTTPS-only REST APIs that use Port 443. ERS APIs also use Port 9060, however Port 9060 may no longer be supported in future versions of ISE, so it is not recommended to use Port 9060.

 

ISE 3.3

To enable the API in ISE 3.3, in Administration > System > Settings > API Settings > API Service Settings:

 

• ERS - disabled by default.
• Open API - disabled by default.

 

ISE 3.4

To enable the API in ISE 3.4, in Administration > System > Settings > API Settings > API Service Settings:

 

• ERS - disabled by default.
• Open API - enabled by default and cannot be disabled !!!

 

Enable API Gateway

To enable the API Gateway in Cisco ISE, in Administration > System > Settings > API Settings > API Gateway Settings:

 

pxGrid on Cisco ISE

PPAN & pxGrid

If PPAN is Down, pxGrid Service will not be available as pxGrid Servers replicate information between Nodes via PPAN.

 

All pxGrid Clients periodically reRegister with the pxGrid Controller at a 7.5 minute interval. If a Client fails to reRegister, the PAN assumes it is inactive and deletes that Client. If the PAN is inactive for more than 7.5 minutes, when it becomes active again, it deletes all Clients with Timestamp Values ​​older than 7.5 minutes (all such Clients must then reRegister with the pxGrid Controller).

 

Enable pxGrid

Para habilitar o pxGrid no Cisco ISE, em Administration > System > Deployment > selecione o pxGrid Node > ative o pxGrid:

 

Enable pxGrid Context-In

To enable the pxGrid Context-In in Cisco ISE, in Administration > System > Deployment > select the PSN Node > Profiling Configurations > enable pxGrid:

 

Check pxGrid Version

To check the version of pxGrid you are running:

https://<hostname>:8910/pxgrid/control/version

 

Client Certificate

Cisco ISE can act as an Internal CA to issue Certificates if there is no infrastructure to issue Certificates (in Administration > pxGrid Services > Client Management > Certificates) : 

 

Configure pxGrid

To configure pxGrid on Cisco ISE, in Administration > pxGrid Services:

 

pxGrid Summary

To view High-Level Information about pxGrid ... in Administration > pxGrid Services > Summary:

 

Active Connections PubSub Connections: displays the Number of Active PubSub Connections to the pxGrid. Control Messages: number of Control Messages received in the Last Hour for Authentication, Authorization and Service Discovery. REST API: number of REST API Messages received in the Last Hour from Clients connecting via XMPP WebSockets. PubSub Throughput: reports the amount of Data Published to pxGrid Clients. Extremely useful for scaling your pxGrid Deployment. Total Clients number of Approved / Pending pxGrid Clients. Errors total number of Transmission Errors in the Last Hour in which the Client requested Data Transfer to be restarted as well as a list of Recent Messages.

 

pxGrid Client Management

To manage pxGrid Client ... in Administration > pxGrid Services > Client Management:

In Policy ...

the default Services are:

• com.cisco.ise.aiagent
• com.cisco.ise.config.anc
• com.cisco.ise.config.deployment.node
• com.cisco.ise.config.profiler
• com.cisco.ise.config.trustsec
• com.cisco.ise.config.upn
• com.cisco.ise.dnac
• com.cisco.ise.echo
• com.cisco.ise.endpoint
• com.cisco.ise.endpointanalytics
• com.cisco.ise.mdm
• com.cisco.ise.posture
• com.cisco.ise.pubsub
• com.cisco.ise.pxcloud
• com.cisco.ise.pxgrid.admin
• com.cisco.ise.radius
• com.cisco.ise.session
• com.cisco.ise.sxp
• com.cisco.ise.system
• com.cisco.ise.telemetry
• com.cisco.ise.trustsec

the default Operations are:

• <ANY>
• <CUSTOM>
• publish
• publish /topic/com.cisco.ise.session - Publish informações de Session.
• publish /topic/com.cisco.ise.identity.group - Pubish informações de Identity Topics.
• publish /topic/com.cisco.ise.anc - permite que pxGrid Client recupere ANC Policies.

the default Group are:

• ANC
• Internal

 

pxGrid Diagnostics

For pxGrid troubleshooting:

 

GUI

In Administration > pxGrid Services > Diagnostics:

 

• Websockets - lists all pxGrid 2.0 Clients Internal & External to ISE.
• Logs - lists Management Events.
• Tests - excellent for Troubleshooting.

 

CLI

For pxGrid v.2.0 Activities and Errors :

ise/admin# show logging application | include pxgrid-server.log
 16327385 Feb 27 2025 10:42:59 pxgrid/pxgrid-server.log

 

pxGrid Settings

For pxGrid settings ... in Administration > pxGrid Services > Settings:

 

• Automatically approve new Certificate-based Accounts
• Allow Password based Account creation - if this option is enabled, pxGrid Clients cannot be automatically approved.

 

Case Study

SIEM

A SIEM (Security Information and Event Management) can add Context to identified Devices, i.e. transform an "IP Addr" into "User X using Device Y on Port W of Switch Z".

The SIEM Administrator may also (for example) choose to take corrective action based on a Security Event, signaling ISE to place User X in "Network Quarantine".

The Figure below depicts the Adaptive Network Control (ANC) capabilities on Cisco ISE, as invoked by a pxGrid-enabled Platform that makes a call to the threat-response API. The engine performs a Change of Authorization (CoA) and issues a Security Group Tag (SGT).

 

RTC (Rapid Threat Containment)

Upon detecting a Threat on an Endpoint, a pxGrid Partner can instruct the ISE to contain the infected Endpoint Manually or Automatically.

Containment may involve:

• move the Device to a Sandbox for observation
• move the Device to a Remediation Domain for repair
• remove the Device completely

 

ISE can also receive standardized Common Vulnerability Scoring System (CVSS) ratings and Structured Threat Information Expression (STIX) threat ratings, so that Manual or Automatic changes to User Access Privileges can be made based on a Security Score.

 

pxGrid Context-In - IOT (Internet of Things)

IOT Devices are considered “anything” connected to the “network” at “any time”, the biggest challenge is to classify these Devices and provide them with the appropriate Network Access based on the Organization’s Security Policy.

pxGrid Context-In enhances Device Classification by using Cisco ISE as the Network Enforcement and Network Authorization Point. Classified Endpoint access is determined when Security Partners publish their IoT asset information to the pxGrid Endpoint Asset Topic.

In summary ... the Security Partner publishes Attributes to the Endpoint Asset Topic:

 

The IOT Asset Profiling Policy is created:

 

 

The Profiling Policy is assigned to a Logical Profile:

 

 

The Logical Profile is assigned to an Authorization Policy:

 

 

Take a look at pxGrid Context-In - IOT.

 

pxGrid Context-In - Threat

To see an example of a Security Solution publishing threat information to ISE, see pxGrid Context-In - Threat.