Cisco Identity Services Engine (ISE)
- 3 minutes to read
The Cisco Identity Services Engine (ISE) adapter connects to the Cisco ISE management interface in order to enable the creation and enforcement of security and access policies for endpoint devices connected to managed routers and switches.
The Cisco ISE adapter connection requires the following parameters:
- Cisco ISE Domain – The hostname for Cisco ISE.
- User Name and Password - The user name and the password of the service account used to interact with Cisco ISE (see following section)
- Use pxGrid to Fetch Live Sessions - Enrich the data collected from Cisco ISE by enabling pxGrid. By default the option is used. Using pxGrid requires a plus licence and requires an additional authentication step from pxGrid Services on your Cisco ISE domain. For more details, see Authorize Axonius in pxGrid Services.
- Verify SSL - Choose whether to verify the SSL certificate of the server.
- HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.
- Choose Instance - If you are using multi-nodes, choose the Axonius node that is integrated with the adapter. By default, the 'Master' Axonius node (instance) is used. For details, see Connecting Additional Axonius Nodes
Create a Service Account for Axonius in Cisco ISE
In order to create a service account for Axonius with the sufficient permissions for calling the Cisco ISE API, do as follows:
Navigate to Administration > Admin Access > Administrators > Admin Users and click on Add:
Assign an access type. Select ReadOnly. You can choose between Read/Write or ReadOnly.
Add the user to one of the following Admin Groups: ERS Admin or ERS Operator.
Enable ERS (External RESTful Services) to allow REST calls. To do this navigate to Administration > System > Settings > ERS Settings then select Enable ERS for Read/Write under the Primary Administration Node:NOTEThe ERS setting must be enabled after each upgrade as it is reset to "disabled" during each upgrade. If you plan on utilizing this adapter, we recommend adding a note to your Cisco ISE upgrade process documentation that the REST API should be enabled at the end of each upgrade.
Authorize Axonius in pxGrid Services on your Cisco ISE domain
In order to authorize Axonius with the sufficient permissions for using the pxGrid services do as follows:
Enable the Use pxGrid to Fetch Live Sessions parameter as shown in the configuration
Clicking Save and Connect will generate an Axonius ID that will follow in an error to authorize the generated ID in the pxGrid System: (Next steps)
Log into the ISE Admin GUI, navigate to Administration > pxGrid Services
Select the Axonius client and click Approve as shown in the image.
Click Save and Connect to complete the configuration and to establish the connection.
Enabling pxGrid Services in Cisco ISE Administration
To enable pxGrid Services in Cisco ISE Administration:
- Log into the ISE Admin GUI, navigate to Administration > Deployment
- Select the ISE node to be used for pxGrid persona as shown in the image.
- Enable pxGrid service and click Save as shown in the image.
Configuring pxGrid Advanced Settings
When configuring the Cisco ISE and do not want to use the pxGrid fetch to retrive the data you need to enable the "Fetch Endpoints" from the adapters advanced settings
- Open the CISCO Identity Services (ISE) Adapter screen, click Advanced Settings, and then click the Cisco ISE Configuration tab:
- Fetch Endpoints - Check this option to fetch data from the ISE endpoint.
- The default value for this checkbox is False.