Cisco Identity Services Engine (ISE)
  • 4 minutes to read
  • Print
  • Share
  • Dark
    Light

Cisco Identity Services Engine (ISE)

  • Print
  • Share
  • Dark
    Light

The Cisco Identity Services Engine (ISE) adapter connects to the Cisco ISE management interface in order to enable the creation and enforcement of security and access policies for endpoint devices connected to managed routers and switches.

Parameters

  1. Cisco ISE Domain (required) - The hostname or IP address of the Cisco ISE server that Axonius can communicate with via the Required Ports.
  2. User Name and Password (required) - The credentials for a user account that has the Required Permissions to fetch assets.
  3. Use pxGrid to Fetch Live Sessions (required, default: False) -
    • If enabled, Axonius will enrich the data collected from Cisco ISE by enabling pxGrid. Using pxGrid requires a plus licence and requires an additional authentication step from pxGrid Services on your Cisco ISE domain. For more details, see Authorize Axonius in pxGrid Services.
    • If disabled, Axonius will not enable pxGrid.
  4. Verify SSL (required, default: False) - Verify the SSL certificate offered by the value supplied in Cisco ISE Domain. For more details, see SSL Trust & CA Settings.
    • If enabled, the SSL certificate offered by the value supplied in Cisco ISE Domain will be verified against the CA database inside of Axonius. If the SSL certificate can not be validated against the CA database inside of Axonius, the connection will fail with an error.
    • If disabled, the SSL certificate offered by the value supplied in Cisco ISE Domain will not be verified against the CA database inside of Axonius.
  5. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the value supplied in Cisco ISE Domain.
    • If supplied, Axonius will utilize the proxy when connecting to the value supplied in Cisco ISE Domain.
    • If not supplied, Axonius will connect directly to the value supplied in Cisco ISE Domain.
  6. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

image.png

Advanced Settings

  1. Fetch endpoints (required, default: False)
    • If enabled, all connections for this adapter will fetch data from the ISE endpoint.
    • If disabled, all connections for this adapter will not fetch data from the ISE endpoint.
your title goes here

When configuring the Cisco ISE and do not want to use the pxGrid fetch to retrieve the data you need to enable Fetch endpoints.

image.png

NOTE

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Required Ports

Axonius must be able to communicate with the value supplied in Cisco ISE Domain via the following ports:

  • External RESTful Services (ERS) REST API: TCP/9060

For more details, see Cisco ISE Ports Reference.

Required Permissions

The value supplied in User Name must have read access to devices.
To create a service account for Axonius with the sufficient permissions for calling the Cisco ISE API, do as follows:

  1. Navigate to Administration > Admin Access > Administrators > Admin Users and click on Add:

    ise-account-step-1

  2. Assign an access type. Select ReadOnly. You can choose between Read/Write or ReadOnly.

  3. Add the user to one of the following Admin Groups: ERS Admin or ERS Operator.

  4. Enable ERS (External RESTful Services) to allow REST calls. To do this navigate to Administration > System > Settings > ERS Settings then select Enable ERS for Read/Write under the Primary Administration Node:

    image.png

    NOTE
    The ERS setting must be enabled after each upgrade as it is reset to "disabled" during each upgrade. If you plan on utilizing this adapter, we recommend adding a note to your Cisco ISE upgrade process documentation that the REST API should be enabled at the end of each upgrade.

Authorize Axonius in pxGrid Services on your Cisco ISE domain

In order to authorize Axonius with the sufficient permissions for using the pxGrid services do as follows:

  1. Enable the Use pxGrid to Fetch Live Sessions parameter as shown in the configuration
    image.png

  2. Clicking Save and Connect will generate an Axonius ID that will follow in an error to authorize the generated ID in the pxGrid System: (Next steps)
    image.png

  3. Log into the ISE Admin GUI, navigate to Administration > pxGrid Services
    ise-account-step-1

  4. Select the Axonius client and click Approve as shown in the image.
    ise-account-step-4

  5. Click Save and Connect to complete the configuration and to establish the connection.
    image.png

NOTE
pxGrid Services should be enabled on your Cisco ISE domain

Enabling pxGrid Services in Cisco ISE Administration

To enable pxGrid Services in Cisco ISE Administration:

  1. Log into the ISE Admin GUI, navigate to Administration > Deployment
  2. Select the ISE node to be used for pxGrid persona as shown in the image.
    ise-account-step-1
  3. Enable pxGrid service and click Save as shown in the image.
    ise-account-step-4
NOTE
For Cisco ISE pxGrid to be enabled you must have a plus license on ISE deployment. You can see the full instructions here: Configure ISE 2.4 and FMC 6.2.3 pxGrid Integration
Was this article helpful?