Document toolboxDocument toolbox

Integrating Cisco ISE into NIOS

Owned by Aliaksei Shautsou (Deactivated)
Last updated: Dec 16, 2017 by Gireesh Geetha
5 min read

With the rapid growth of BYOD (Bring Your Own Device) trend, the complexity of securing network resources has become more challenging. To ensure data privacy and security of all network resources against threats, Infoblox introduces the Ecosystem feature that allows you to expand the visibility of networks, users, and devices. Using this feature improves overall IT operations by sharing information between network and security teams.
Integrating Cisco ISE server into NIOS enables NIOS and Cisco ISE to exchange valuable network, user, device, and security-event information, enriching both Infoblox DDI and Cisco ISE data. Cisco ISE is a centralized security solution (Network Access Control) that automates and enforces context-aware security access to network resources. NIOS supports the integration of Cisco ISE versions 1.3, 1.4, 2.0, 2.2, and 2.3. This feature ensures that only the authorized users from legitimate devices get access to the services they need.

Note: Cisco ISE does not support IPv6 addresses.

When you configure a Cisco ISE, you can do the following:

  • Subscribe to contextual data: NIOS acts as a client to the Cisco ISE and collects information about the subscribed data types. You can configure extensible attributes without restricting them to specific object types, and then map these extensible attributes to Cisco ISE data to collect additional information. You can view subscribed information collected from the Cisco ISE in the appropriate tabs (IPAM, IP Map panel, and Network Users) of the Infoblox GUI. For information about how to subscribe to contextual data, see Configuring Cisco ISE on NIOS. You can also monitor subscription data using the Subscription report. For information, see Subscription Data.
  • Publish contextual data - You can publish contextual data from NIOS to specific Cisco ISE based on the conditions and criteria specified in the notification rules. To publish RPZ and threat protection notifications, you must first set up an external syslog server, as described in Specifying Syslog Server for Notifications. For information about notification rules, see Configuring Notification Rules. You can monitor published data using the Publish Data report through the Reporting and Analytics feature. For information about this report, see Publish Data.

NIOS Licensing Requirements

You must install the Network Insight license to configure Cisco ISE. You might need the following licenses to configure notification rules for RPZ and threat protection event types:
Table 44.1 Required Licenses

License

Event Types

RPZ

DNS RPZ

Threat Protection

Security ADP

DNS, DHCP, and MSMGMT

IPAM

DNS and DHCP

DHCP Lease


For information about how to install licenses, see Managing Licenses.

Administrative Permissions

By default, only superusers can add, edit, and delete Cisco ISEs. Limited-access admin groups can access Cisco ISEs only if their administrative permissions are defined. For information about administrative permissions, see About Administrative Permissions.

Prerequisites

Do the following before you begin using this feature on NIOS:

  • Cisco ISE uses SSL certificates as the method of authentication. You must upload the client certificate and client key when configuring the Cisco ISE server. You can include both client certificate and key in a single file and then upload. For information, see Generating Certificates.

Note: Make sure to use the host name of the Grid member that is selected as the subscribing member. The host name of the subscribing member must match with the Common Name that you mention while generating the certificate.

  • For the bulk download certificate, download the server certificate from the monitoring node. If the admin node and monitoring node are on one node, then download the certificate from the admin node.
    Log into Cisco ISE and download the default self-signed server certificate (Administration -> System -> Certificates -> Export).
  • For the CA certificate, download the CA certificate from the admin node or the self-signed certificate (Administration -> System -> Certificates -> Export).
  • Register NIOS as a client on the Cisco ISE. You must enable the Auto-Registration option on the Cisco ISE: From the Administration menu -> click pxGrid Services, and then click Enable Auto-Registration. For more information, refer to Cisco ISE documentation. When you register NIOS successfully, you can view infoblox_client_subscribe_xxxx and infoblox_client_publish_xxxx, where xxxx is a number generated based on the IP of the subscribing member on the Cisco ISE. If auto-registration is not enabled, approve the pxGrid client after registration. If you change the certificates, Cisco ISE may not register the client successfully. In this case, delete the related pxGrid client from the Cisco ISE server, which is automatically created again.
  • Enable the Identity Mapping feature on the NIOS appliance:
    1. From the Grid tab, select the Grid Manager tab -> Grid Properties -> Edit from the Toolbar.
    2. In the Grid Properties Editor, select the General tab -> Advanced tab, select the Enable network users feature check box.
  • To publish data:
      • To publish dynamic data, such as DHCP lease and IPAM information, make sure that you approve Infoblox_DHCP and Infoblox_IPAM on the Cisco ISE, and then configure notification rules as described in Configuring Notification Rules.
      • To publish RPZ and threat protection notifications to the Cisco ISE server, you must first set up an external syslog server and then configure notification rules, as follows:
        1. Configure an external syslog server that listens on port 2000, as described in Specifying Syslog Server for Notifications.
        2. Set up notification rules, as described in Configuring Notification Rules.

Note: Refer to Cisco ISE documentation for information about how to perform auto-registration, creating authorized groups, and approving dynamic topics.

Generating Certificates

To generate a self-signed key and certificate:

  1. openssl genrsa -out self1.key 4096
  2. openssl req -new -key self1.key -out self1.csr
  3. openssl req -x509 -days 365 -key self1.key -in self1.csr -out self1.cer

For CSR request:

Country Name (2 letter code) [XX]: <Country Name>, for example: US

State or Province Name (full name) []: <State Name>, for example: CA

Locality Name (eg, city) [Default City]:<City Name>, for example: SC

Organization Name (eg, company) [Default Company Ltd]:<Company Name>, for example Infoblox

Organizational Unit Name (eg, section) []:<Organization Name>, for example: QA

Common Name (eg, your name or your server's hostname) []:<host name of the subscribing member>

Email Address []:

Enter the following 'extra' attributes to be sent with your certificate request:

A challenge password []:

Import the certificate generated in step 3 to Cisco ISE's trusted store. Select the Trust for authentication within ISE check box.

Export the self-signed ISE certificate of the ISE server (under System -> Certificates). Make sure to select the pxGrid: Use certificate for the pxGrid Controller check box before exporting it.

You can call this as isemnt.cert

Wait for ISE services to restart. It may take a few minutes.