...
| Note | ||
|---|---|---|
| ||
|
When you configure a Cisco ISE, you can do the following:
...
Limitation of Integrating Cisco ISE with NIOS
Integrating A limitation of the Cisco ISE with NIOS has the following limitation:If and NIOS integration is that if the Grid Master is the subscribing member and you promote a Grid Master candidate Candidate to the Grid Master, then you have to create a client certificate for the promoted Grid Master.
Configuring Cisco ISE Endpoints Using Outbound Endpoint
You can configure the supported versions of Cisco ISE servers on the NIOS appliance. You can subscribe for identity information that you wish to collect from the Cisco ISE, such as user name, domain name, VLAN, session state, SSID, endpoint profile, and security group. You can also add extensible attributes without restricting it to specific object types, and map these extensible attributes with the Cisco ISE field types to collect additional information. Note that you can subscribe to only one Cisco ISE per member and each member can subscribe to only one Cisco ISE. You can publish ADP and RPZ notifications, DHCP and IPAM information from NIOS to Cisco ISEs based on the notification rules that you have configured. You can view the subscribed information from the IPAM tab and the IP Map panel. Make sure that you synchronize time between the managing member and Cisco ISE.
...
From the Grid tab, select the Ecosystem tab -> Outbound Endpoint tab and then click Add -> Add Cisco ISEEndpoint from the Toolbar.
In the Add Cisco ISE Endpoint wizard:
Server Address: Enter the IP address FQDN of the Cisco ISE server.
Name: Specify a name for the endpoint.
SubscribingMember: Select a Grid Master Candidate that you want to subscribe as the client on the Cisco ISE server. Or, you can select the current Grid Master as the subscribing member. This member interacts with the Cisco ISE to obtain contextual information for the subscribed data types.
Vendor Type: The vendor type associated with the endpoint. This is optional.
ClientCertificate: Click Select to upload the client certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload.
ManageCertificates: Click CACertificates to upload the self-signed certificate or CA certificate. In the CACertificates dialog box, click the Add icon, and then navigate to the certificate to upload it.
WAPIIntegrationUsername: If you have included at least one "wapi" related field in your action template, you must configure WAPI integration; otherwise the WAPI step fails due to an authorization error. Enter the user name of the admin user you want to designate for Cisco ISE outbound notifications. The appliance ignores the AuthUsername and AuthPassword for WAPI related steps in any action templates if WAPI integration is configured.
WAPIIntegrationPassword: Enter the password of the admin user you have designated for Cisco ISE outbound notifications.
TestConnection: Click this to validate the endpoint settings and test the connectivity between the Grid Master and the endpoint. It also validates the certificate that you uploaded and tests the connection between the Grid Master Candidate that is assigned as the outbound member and the endpoint. Grid Manager displays a message indicating whether the connection is successful. Note that the test does not validate the user name and password for the endpoint. It only tests the basic connection between the Grid Master and the endpoint, and validates the certificate.
Comment: Enter additional information about the Cisco ISE endpoint.
Disable: Select this checkbox if you want to save the configuration but do not want to use it yet. You can clear this checkbox when you are ready to use this configuration.
Click Next to set the duration of time that the endpoint waits for a response from the outbound member. Complete the following to specify session timeout value:
Timeout: Specify the session timeout value for the endpoint. The default value is 30 seconds.
Log Level: From the drop-down list, select the severity level for the events. The severity level you select here determines the type of events that are being logged. This can be Debug, Info, Warning, or Error. When you select Debug, all fields or variables used in the events that were sent to the endpoint are logged, including deduplicated events for RPZ hits. Note that setting this to Debug might slightly affect the performance of your production system.
Template: Click Select Template to select a session management template.
Vendor Type: Displays the vendor information for the endpoint.
Template Type: Displays the Session Management template.
Parameters: Displays the parameters of the template you select. You can access these values in the notification rules.
Click Next to specify the data types that you are interested to obtain from the Cisco ISE. The Cisco ISE shares information only for the subscribed data types. Complete the following to specify data types you want to collect from the Cisco ISE server:
Subscription Settings: Select the predefined data types to which you want to subscribe from the Available Data Type table. Use the arrows to move data types from the Available Data Type table to the Selected Data Type table. NIOS receives information for all data types in the Selected Data Type table.
Map other data types to Extensible Attributes: You can create extensible attributes and map these extensible attributes to receive additional Cisco ISE data values, such as IP address, MAC, NAS IP Address, NAS Port ID, EPS Status, Posture Status, Posture Timestamp, Endpoint Profile Name, Account Session ID, and Audit Session ID. Click the Add icon and map a Cisco ISE data type to an extensible attribute. You can also select a row and click the Delete icon to delete it.
Click Next to add data types that you want to publish to the Cisco ISE server. Use the arrows to move data types from the Available table to the Selected table. NIOS publishes information only for the data types that are added in the Selected table.
Click Next to add extensible attributes for the endpoint.
Save the configuration.
...
{
"version": "6.0",
"vendor_identifier": "pxgrid",
"name": "PxgridSession",
"type": "PXGRID_ENDPOINT",
"comment": "Pxgrid session template",
"path": "/wapi/v2.9/",
"override_path": true,
"timeout": 123,
"keepalive": true,
"retry": 4,
"retry_template": 2,
"rate_limit": 200
}
DHCP Action template:
{
"version": "6.0",
"name": "Pxgrid Event",
"type": "PXGRID_EVENT",
"event_type": ["RPZ","LEASE","ADP","IPAM"],
"action_type": "Pxgrid Action IPAM",
"comment": "Pxgrid template",
"content_type": "application/json",
"vendor_identifier": "pxgrid",
"headers": {
"User-Agent": "Outbound API 0.1 rrtest"
},
"transport": {
"path": "/wapi/v2.9",
"content_type": "application/json",
"override_path": true
},
"steps":
[
{
"name": "DHCP event",
"operation": "PX_SEND_DHCP_LEASES"
}
]
}
...