2796

Views

5

Helpful

3

Comments

pxGrid Integration with Cisco StealthWatch using Microsoft CA

Objective

This blog will help the readers to configure their Cisco StealthWatch (7.X) and Cisco ISE appliance over pxGrid.

What is pxGrid?

Cisco pxGrid provides a unified framework that enables ecosystem partners to integrate to pxGrid once, and then share context bidirectionally with many platforms without the need to adopt platform-specific APIs. Using pxGrid, we can integrate the Cisco ISE and Cisco StealthWatch, which can allow ISE to enrich information captured by Cisco StealthWatch with information captured by Cisco ISE over the network.

Topology

Screenshot 2022-01-02 at 20.49.08.png

Step 1: Setup CA Server

Setup the Group policy for Auto Enrolment for both Computer Configuration and User Configuration

Screenshot 2022-01-02 at 20.33.04.png

Open the Windows CA Server
Right-Click and Duplicate User template->Select Windows 2003 Enterprise->OK
Enter name of certificate template, uncheck “Publish certificate in Active Directory”, and provide validity period and renewal period.

Screenshot 2022-01-02 at 20.35.12.png

Click Extensions->Add->Server Authentication->Ok->Apply

Screenshot 2022-01-02 at 20.36.25.png

Click Subject Name, Enable Supply in the request

Screenshot 2022-01-02 at 20.36.50.png

Click Extensions->Issuance Policies->Edit->All Issuance Policies

Screenshot 2022-01-02 at 20.37.35.png

Download the template

Screenshot 2022-01-02 at 20.40.54.png

Download the CA Root Cert in Base 64 format. We later need to install this certificate into both ISE and StealthWatch.

Screenshot 2022-01-02 at 20.41.49.png

Install Root Certificate into ISE: Trusted Certificates

Screenshot 2022-01-02 at 20.52.09.png

Install the root certificate into the Stealthwatch

Landing page > Central Management > SMC > Action > Edit Appliance configuration > General > Trust Store

Screenshot 2022-01-02 at 20.53.25.png

Screenshot 2022-01-02 at 20.54.04.png

Step 2: Setup Cisco ISE

Enable PXGRID

Screenshot 2022-01-02 at 21.08.08.png

Make sure that the ISE node will automatically approve new accounts by navigating to Administration>pxGrid Services>Settings

Note: Enable "Allow Password based account creation" is not required.

Screenshot 2022-01-02 at 21.09.03.png

Request for a Certificate for PXGRID and generate the CSR.

Screenshot 2022-01-02 at 21.11.08.png

Bind the downloaded certificate

Screenshot 2022-01-02 at 21.12.05.png

Screenshot 2022-01-02 at 21.12.48.png

Verify the certificates are installed.

Screenshot 2022-01-02 at 21.13.42.png

Step 3: Setup StealthWatch

Request for the certificate used to authenticate Stealthwatch SMC and ISE.

Screenshot 2022-01-02 at 20.55.50.png

Make sure that the ISE node will automatically approve new accounts by navigating to Administration>pxGrid Services>Settings

Screenshot 2022-01-02 at 20.56.20.png

Download the CSR and get a new certificate from the CA authority.

Screenshot 2022-01-02 at 20.57.00.png

Download base 64 encoded certificate

Screenshot 2022-01-02 at 20.59.03.png

Upload the certificate & apply changes.

Screenshot 2022-01-02 at 20.59.40.png

Configure ISE integration

Screenshot 2022-01-02 at 21.02.15.png

Screenshot 2022-01-02 at 21.02.53.png

Screenshot 2022-01-02 at 21.02.53.png

Verification on ISE

Screenshot 2022-01-02 at 21.04.14.png

3 Comments

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Popular Articles

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)