- 22 Sep 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Cisco Identity Services Engine (ISE) - Apply Policy to Devices
- Updated on 22 Sep 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Cisco Identity Services Engine (ISE) - Apply Policy to Devices assigns a policy to devices in Cisco Identity Services Engine for:
- Assets that match the selected saved query, and
- Assets that match the Enforcement Action dynamic values, if defined.
- Assets selected on the relevant asset page.
To use this Enforcement Action, you must successfully configure a Cisco Identity Services Engine (ISE) adapter connection.
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
General Settings
- Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
- Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
Required Fields
These fields must be configured to run the Enforcement Set.
Use stored credentials from Cisco Identity Services Engine (ISE) adapter - Select this option to use the Ivanti Security Controls connected adapter credentials.
- When you select this option, the Select Adapter Connection dropdown is available, and you can choose which adapter connection to use for this Enforcement Action.
Policy Name - The name of Adaptive Network Control (ANC) policy to apply.
Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.
Additional Fields
These fields are optional.
Cisco ISE Domain - The hostname or IP address of the Cisco ISE server that Axonius can communicate with via the Required Ports.
Cisco pxGrid Domain - Set this parameter to connect to a pxgrid domain instead of the regular domain used for ERS. When this parameter is not set, the same ISE domain is used for both pxgrid and ERS APIs.
User Name and Password - The credentials for a user account that has the Required Permissions to perform this action.
Use pxGrid to Fetch Live Sessions -
- If enabled, Axonius will enrich the data collected from Cisco ISE by enabling pxGrid. Using pxGrid requires a plus licence and requires an additional authentication step from pxGrid Services on your Cisco ISE domain. For more details, see Authorize Axonius in pxGrid Services.
- If disabled, Axonius will not enable pxGrid.
pxGrid Client Certificate / pxGrid Client Private Key / pxGrid Client Private Key Password / pxGrid Client Root CA chain - These settings are required for xmpp client with pxgrid 1.* For details, contact Axonius Support.
Note:The xmpp client has been deprecated by Cisco. Axonius will continue supporting it, but it is advised to transition to the REST client to fetch pxGrid data.
Use v1.1 Object Model for ERS API - Select when using either Cisco ISE versions 2.4 or 2.7, or if you receive a “Connection Fails” HTTP 400 error.
Note:This parameter is only used with the ERS API. It has no effect when using the pxGrid API.
- Verify SSL (optional) - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
- HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.
Required Permissions
The user account used to connect must have permissions to assign policies to devices. See Cisco Identity Services Engine (ISE).
For more details about other Enforcement Actions available, see Action Library.