Quick Configuration

This task discusses how to configure Cisco ISE (but not ISE-PIC) by entering a user name and password. The Secure Firewall Management Center then logs in to ISE and downloads the necessary certificates to authenticate the two applications.

Threat Defense Feature History:

7.6—This feature is introduced.

Before you begin

See the following topics first:

Procedure

Step 1

Step 2

Click Integration > Other Integrations > Identity Sources.

Step 3

Click Identity Services Engine for the Service Type to enable the ISE connection.

Note	To disable the connection, click None.

Step 4

Click Quick Configuration (New).

Step 5

In the Primary PAN FQDN/IP Address field, enter the fully qualified domain name or IP address of the policy administration node (PAN). Do not enter a scheme (such as https:// ).

Step 6

In the Username field, enter the user name of a user in at least the ERS Operator group.

For more information about groups, see the section on Cisco ISE Administrator Groups in the Cisco Identity Services Engine Administrator Guide.

Step 7

In the Password field, enter the user's password.

Step 8

(Optional.) Enter an ISE Network Filter using CIDR block notation.

Step 9

In the Subscribe To section, check the following:

Session Directory Topic to receive ISE user session information from the ISE server.
SXP Topic to receive updates to SGT-to-IP mappings when available from the ISE server. This option is required to use destination SGT tagging in access control rules.

Step 10

(Optional.) From the Proxy list, click either a managed device or a proxy sequence.

If Security Cloud Control cannot communicate with your ISE/ISE-PIC server, you can choose either a managed device or proxy sequence to do it. For example, your Security Cloud Control might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet.

Step 11

To test the connection, click Test.

Step 12

(Optional.) After a successful trest, click Save this Config at the top of the page to save the configuration on the Secure Firewall Management Center.

What to do next

Specify users to control and other options using an identity policy as described in Create an Identity Policy.
Associate the identity rule with an access control policy, which filters and optionally inspects traffic, as discussed in Associating Other Policies with Access Control.
Use Security Group Tags (SGT) from Cisco ISE as dynamic attributes in access control policies.

For more information, see Configure Dynamic Attributes Conditions.
Deploy your identity and access control policies to managed devices as discussed in Deploy Configuration Changes.
Monitor user activity .