Cisco Identity Services Engine (ISE)
  • 3 minutes to read
  • Print
  • Share
  • Dark
    Light

Cisco Identity Services Engine (ISE)

  • Print
  • Share
  • Dark
    Light

The Cisco Identity Services Engine (ISE) adapter connects to the Cisco ISE management interface in order to enable the creation and enforcement of security and access policies for endpoint devices connected to managed routers and switches.

The Cisco ISE adapter connection requires the following parameters:

  1. Cisco ISE Domain – The hostname for Cisco ISE.
  2. User Name and Password - The user name and the password of the service account used to interact with Cisco ISE (see following section)
  3. Use pxGrid to Fetch Live Sessions - Enrich the data collected from Cisco ISE by enabling pxGrid. By default the option is used. Using pxGrid requires a plus licence and requires an additional authentication step from pxGrid Services on your Cisco ISE domain. For more details, see Authorize Axonius in pxGrid Services.
  4. Verify SSL - Choose whether to verify the SSL certificate of the server.
  5. HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.
  6. Choose Instance - If you are using multi-nodes, choose the Axonius node that is integrated with the adapter. By default, the 'Master' Axonius node (instance) is used. For details, see Connecting Additional Axonius Nodes

image.png

Create a Service Account for Axonius in Cisco ISE

In order to create a service account for Axonius with the sufficient permissions for calling the Cisco ISE API, do as follows:

  1. Navigate to Administration > Admin Access > Administrators > Admin Users and click on Add:

    ise-account-step-1

  2. Assign an access type. Select ReadOnly. You can choose between Read/Write or ReadOnly.

  3. Add the user to one of the following Admin Groups: ERS Admin or ERS Operator.

  4. Enable ERS (External RESTful Services) to allow REST calls. To do this navigate to Administration > System > Settings > ERS Settings then select Enable ERS for Read/Write under the Primary Administration Node:

    ise-account-step-3

    NOTE
    The ERS setting must be enabled after each upgrade as it is reset to "disabled" during each upgrade. If you plan on utilizing this adapter, we recommend adding a note to your Cisco ISE upgrade process documentation that the REST API should be enabled at the end of each upgrade.

Authorize Axonius in pxGrid Services on your Cisco ISE domain

In order to authorize Axonius with the sufficient permissions for using the pxGrid services do as follows:

  1. Enable the Use pxGrid to Fetch Live Sessions parameter as shown in the configuration
    image.png

  2. Clicking Save and Connect will generate an Axonius ID that will follow in an error to authorize the generated ID in the pxGrid System: (Next steps)
    image.png

  3. Log into the ISE Admin GUI, navigate to Administration > pxGrid Services
    ise-account-step-1

  4. Select the Axonius client and click Approve as shown in the image.
    ise-account-step-4

  5. Click Save and Connect to complete the configuration and to establish the connection.
    image.png

NOTE
pxGrid Services should be enabled on your Cisco ISE domain

Enabling pxGrid Services in Cisco ISE Administration

To enable pxGrid Services in Cisco ISE Administration:

  1. Log into the ISE Admin GUI, navigate to Administration > Deployment
  2. Select the ISE node to be used for pxGrid persona as shown in the image.
    ise-account-step-1
  3. Enable pxGrid service and click Save as shown in the image.
    ise-account-step-4
NOTE
For Cisco ISE pxGrid to be enabled you must have a plus license on ISE deployment. You can see the full instructions here: Configure ISE 2.4 and FMC 6.2.3 pxGrid Integration

Configuring pxGrid Advanced Settings

When configuring the Cisco ISE and do not want to use the pxGrid fetch to retrive the data you need to enable the "Fetch Endpoints" from the adapters advanced settings

  1. Open the CISCO Identity Services (ISE) Adapter screen, click Advanced Settings, and then click the Cisco ISE Configuration tab:
  • Fetch Endpoints - Check this option to fetch data from the ISE endpoint.
    • The default value for this checkbox is False.

image.png

Was this article helpful?