Cisco ISE Advanced Configuration
The following procedure discusses how to configure the ISE/ISE-PIC identity source. You must be in the global domain to perform this task.
Threat Defense Feature History:
7.2—Optionally add a proxy, which is a connection to one or more cCisco Security Cloud Control in the event Cisco Security Cloud Control cannot communicate with the ISE/ISE-PIC server. .
Before you begin
-
To get user sessions from a Microsoft Active Directory Server or supported LDAP server, configure and enable a realm for the Cisco ISE server, assuming the pxGrid persona, as discussed in Create an LDAP Realm or an Active Directory Realm and Realm Directory.
-
To get all mappings that are defined in Cisco ISE, including SGT-to-IP address mappings published through SXP, use the procedure that follows. As an alternative, you have the following options:
-
To use the SGT information in the packets only, and not use mappings downloaded from Cisco ISE, skip the steps discussed in Create and Edit Access Control Rules. Note that in this case, you can use SGT tags as a source condition only; these tags will never match destination criteria.
-
To use SGT in packets and user-to-IP-address/SGT mappings only, do not subscribe to the SXP topic in the Cisco ISE identity source, and do not configure ISE to publish SXP mappings. You can use this information for both source and destination matching conditions.
-
-
(Advanced configuration only.) Export certificates from the ISE/ISE-PIC server and optionally import them into the management center as discussed in Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center.
-
To publish SXP topics so the management center can be updated with Security Group Tags (SGT) on the ISE server, see Configure ISE/ISE-PIC.
Procedure
Step 1 | Log in to the management center. | ||
Step 2 | Click . | ||
Step 3 | Click Identity Services Engine for the Service Type to enable the ISE connection.
| ||
Step 4 | Enter a Primary Host Name/IP Address and, optionally, a Secondary Host Name/IP Address. | ||
Step 5 | Click the appropriate certificate authorities from the pxGrid Server CA and MNT Server CA lists, and the appropriate certificate from the pxGrid Client Certificate list. You can also click Add () to add a certificate.
| ||
Step 6 | (Optional.) Enter an ISE Network Filter using CIDR block notation. | ||
Step 7 | In the Subscribe To section, check the following:
| ||
Step 8 | (Optional.) From the Proxy list, click either a managed device or a proxy sequence. If Security Cloud Control cannot communicate with your ISE/ISE-PIC server, you can choose either a managed device or proxy sequence to do it. For example, your Security Cloud Control might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet. | ||
Step 9 | To test the connection, click Test. If the test fails, click Additional Logs for more information about the connection failure. |
What to do next
-
Specify users to control and other options using an identity policy as described in Create an Identity Policy.
-
Associate the identity rule with an access control policy, which filters and optionally inspects traffic, as discussed in Associating Other Policies with Access Control.
-
Use Security Group Tags (SGT) from Cisco ISE as dynamic attributes in access control policies.
For more information, see Configure Dynamic Attributes Conditions.
-
Deploy your identity and access control policies to managed devices as discussed in Deploy Configuration Changes.
-
Monitor user activity .