The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes procedures to integrate ISE 3.3 with Secure Network Analytics (Stealthwatch) using pxGrid connections.
Cisco recommends knowledge in these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
1. Log in to Stealthwatch Management Console (SMC).
2. From the main menu, select Configure > Global > Central Management.
3. On the Inventory page, click the (Ellipsis) icon for the Manager that you want to connect to ISE.
4. Choose Edit Appliance Configuration.
5. Navigate to the Additional SSL/TLS Client Identities section under the Appliance tab.
6. Click Add New.
7. Do you need to generate a CSR (Certificate Signing Request)? Choose Yes. Click Next.
8. Select an RSA Key Length and complete the rest of the fields in the Generate a CSR section.
9. Click Generate CSR. The generation process can take several minutes.
10. Click Download CSR and Save the CSR file locally.
1. Navigateto MS Active Directory Certificate Service, https://server/certsrv/, where server is IP or DNS of your MS Server.
2. Click Request a certificate.
3. Choose to submit an advanced certificate request.
4. Copy the contents of the CSR file generated in the previous section into the Saved Request field.
5. Select pxGrid as the Certificate Template, then click Submit.
Note: Certificate Template pxGrid used needs both Client authentication and server authentication in the "Enhanced Key Usage" field.
6. Download a generated certificate in Base-64 format and Save it as pxGrid_client.cer.
1.Navigate to the Additional SSL/TLS Client Identities section of the Manager Configuration in Central Management.
2. The Additional SSL/TLS Client Identities section contains a form to import the created client certificate.
3. Give the certificate a friendly name, then click Select File to locate the certificate file.
5. Click Add Client Identity to add the certificate to the system.
6. Click Apply Settings to save the changes.
1. Navigate to MS Active Directory Certificate Service homepage and select Download a CA certificate, certificate chain, or CRL.
2. Select Base-64 format, then click Download CA certificate.
3. Save the certificate as CA_Root.cer.
4. Log in to the Stealthwatch Management Console (SMC).
5. From the main menu, select Configure > Global > Central Management.
6. On the Inventory page, click the (ellipsis) icon for the Manager.
7. Choose Edit Appliance Configuration.
8. Select the General tab.
9. Navigate to the Trust Store section and import previously exported CA_Root.cer certificate.
10. Click Add New.
11. Give the certificate a friendly name, then click Select File... to select the previously exported ISE CA certificate.
12. Click Add Certificate to save the changes.
13. Click Apply Settings to save the changes.
Generate a CSR for an ISE server pxGrid certificate:
1. Log in to Cisco Identity Services Engine (ISE) GUI.
2. Navigate to Administration > System > Certificates > Certificate Management >Certificate Signing Requests.
3. Select Generate Certificate Signing Request (CSR).
4. Select pxGrid in the Certificate(s) is used for field.
5. Select ISE node for which the certificate is generated.
6. Fill in other certificates details as necessary.
7. Click Generate.
8. Click Export and Save the file locally.
1. Navigate to MS Active Directory Certificate Service, https://server/certsrv/, where server is IP or DNS of your MS Server.
2. Click Request a certificate.
3. Choose to submit an advanced certificate request.
4. Copy the contents of the CSR generated in the previous section into the Saved Request field.
5. Select pxGrid as the Certificate Template, then click Submit.
Note: Certificate Template pxGrid used needs both Client authentication and server authentication in the "Enhanced Key Usage" field.
6. Download the generated certificate in Base-64 format and Save it as ISE_pxGrid.cer.
1. Navigate to MS Active Directory Certificate Service home page and select Download a CA certificate, certificate chain, or CRL.
2. Select Base-64 format, then click Download CA certificate.
3. Save the certificate as CA_Root.cer.
4. Log in to Cisco Identity Services Engine (ISE) GUI.
5. Select Administration > System > Certificates > Certificate Management >Trusted Certificates.
6. Select Import > Certificate file and Import the root certificate.
7. Ensure the Trust for authentication within ISE check box is selected.
8. Click Submit.
1. Log in to Cisco Identity Services Engine (ISE) GUI.
2. Select Administration > System > Certificates > Certificate Management >Certificate Signing Requests.
3. Select the CSR generated in the previous section, then click Bind Certificate.
4. On the Bind CA Signed Certificate form, choose the ISE_pxGrid.cer certificate generated previously.
5. Give the certificate a friendly name, then click Submit.
7. Click Yes if the system asks to replace the certificate.
8. Select Administration > System > Certificates > System Certificates.
9. You can see the created pxGrid certificate signed by the external CA in the list.
Certificates are now deployed, proceed for Integration.
Before proceeding to integrate, ensure that:
For Cisco ISE under Administration > pxGrid Services > Settings and Check Automatically approve new certificate-based accounts for Client request to Auto-approve and Save.
On the Stealthwatch Management Console (SMC), To open ISE Configuration Setup Page:
1. Select Configure > Integrations > Cisco ISE.
2. In the upper right corner of the page, click Add new configuration.
3. Enter Cluster Name, Select the certificate & Integration Product, pxGrid node IP and Click Save.
Refresh the ISE Configuration page on the Stealthwatch Management Console (SMC).
1. Return to the ISE Configuration page in the Web App and refresh the page.
2. Confirm that the node status indicator located beside the applicable IP Address field is Green, indicating that a connection to the ISE or ISE-PIC cluster has been established.
On Cisco ISE, navigate to Administration >pxGrid Services > Client Management > Clients.
This generates the SMC as a pxgrid client with the status Enabled.
To verify topic subscription on Cisco ISE, navigate to Administration >pxGrid Services > Diagnostics > Websocket > Topics
This produces an SMC subscribed to these topics.
Trustsec SGT topic
ISE Session directory topic
ISE SXP Bindings topic
Cisco ISE Pxgrid-server.log in TRACE level.
2025-02-08 18:07:11,086 TRACE [pxgrid-http-pool15][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionDistributor -::::::16d51630eee14e99b25c0fb4988db515:- Drop. exclude=[id=6,client=~ise-fanout-avasteise271,server=wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub]
2025-02-08 18:07:11,087 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.StompPubsubEndpoint -:::::::- Received frame=[command=CONNECT,headers=[accept-version=1.1,1.2, heart-beat=0,0]], content=null
2025-02-08 18:07:11,102 TRACE [pxgrid-http-pool19][[]] cpm.pxgridwebapp.ws.pubsub.StompPubsubEndpoint -:::::::- Received frame=[command=SUBSCRIBE,headers=[destination=/topic/com.cisco.ise.config.trustsec.security.group, id=0]], content=null
2025-02-08 18:07:11,110 DEBUG [pxgrid-http-pool22][[]] cisco.cpm.pxgridwebapp.config.MyX509Filter -:::::::- Authenticating null
2025-02-08 18:07:11,111 DEBUG [pxgrid-http-pool22][[]] cisco.cpm.pxgridwebapp.config.MyX509Filter -:::::::- Certs up to date. user=~ise-pubsub-avasteise271
2025-02-08 18:07:11,111 DEBUG [pxgrid-http-pool22][[]] cisco.cpm.pxgridwebapp.config.MyX509Filter -:::::::- preAuthenticatedPrincipal = ~ise-pubsub-avasteise271, trying to authenticate
2025-02-08 18:07:11,111 DEBUG [pxgrid-http-pool22][[]] cisco.cpm.pxgridwebapp.config.MyX509Filter -:::::::- X.509 client authentication certificate subject:CN=avasteise271.avaste.local, OU=AAA, O=Ciscco, L=Bangalore, ST=KA, C=IN, issuer:CN=Avaste-ISE, DC=avaste, DC=local
2025-02-08 18:07:11,111 DEBUG [pxgrid-http-pool22][[]] cisco.cpm.pxgridwebapp.config.MyX509Filter -:::::::- Authentication success: PreAuthenticatedAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=~ise-pubsub-avasteise271, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.127.197.128, SessionId=null], Granted Authorities=[ROLE_USER]]
2025-02-08 18:07:11,112 DEBUG [pxgrid-http-pool22][[]] cisco.cpm.pxgridwebapp.data.AuthzDaoImpl -:::::::- requestNodeName=SMC serviceName=com.cisco.ise.pubsub operation=subscribe /topic/com.cisco.ise.config.trustsec.security.group
2025-02-08 18:07:11,321 DEBUG [pxgrid-http-pool19][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionDistributor -:::::::- Adding subscription=[id=0,topic=/topic/com.cisco.ise.config.trustsec.security.group,filter=<null>]
2025-02-08 18:07:11,322 DEBUG [pxgrid-http-pool20][[]] cisco.cpm.pxgridwebapp.config.AuthzEvaluator -:::::::- Permitted user=SMC service=com.cisco.ise.config.trustsec operation=gets
2025-02-08 18:07:11,322 INFO [pxgrid-http-pool19][[]] cpm.pxgridwebapp.ws.pubsub.StompPubsubEndpoint -:::::::- Pubsub subscribe. subscription=[id=0,topic=/topic/com.cisco.ise.config.trustsec.security.group,filter=<null>] session=[id=8,client=SMC,server=wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub]
2025-02-08 18:07:11,323 TRACE [pxgrid-http-pool19][[]] cpm.pxgridwebapp.ws.pubsub.StompPubsubEndpoint -:::::::- Received frame=[command=SUBSCRIBE,headers=[destination=/topic/com.cisco.ise.session, id=1]], content=null
2025-02-08 18:07:11,323 TRACE [WsIseClientConnection-1010][[]] cpm.pxgrid.ws.client.WsEndpoint -::::::0a3f23311137425aa726884769e2629c:- Send. session=[id=e7b912e0-ef20-405f-a4ae-a973712d2ac5,client=~ise-admin-avasteise271,server=wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub] frame=[command=SEND,headers=[content-length=438, trace-id=0a3f23311137425aa726884769e2629c, destination=/topic/com.cisco.ise.pxgrid.admin.log],content-len=438] content={"timestamp":1739018231322,"level":"INFO","type":"PUBSUB_SERVER_SUBSCRIBE","host":"avasteise271","client":"SMC","server":"wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub","message":"Pubsub subscribe. subscription\u003d[id\u003d0,topic\u003d/topic/com.cisco.ise.config.trustsec.security.group,filter\u003d\u003cnull\u003e] session\u003d[id\u003d8,client\u003dSMC,server\u003dwss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub]"}
2025-02-08 18:07:11,323 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.StompPubsubEndpoint -::::::0a3f23311137425aa726884769e2629c:- Received frame=[command=SEND,headers=[content-length=438, trace-id=0a3f23311137425aa726884769e2629c, destination=/topic/com.cisco.ise.pxgrid.admin.log],content-len=438], content={"timestamp":1739018231322,"level":"INFO","type":"PUBSUB_SERVER_SUBSCRIBE","host":"avasteise271","client":"SMC","server":"wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub","message":"Pubsub subscribe. subscription\u003d[id\u003d0,topic\u003d/topic/com.cisco.ise.config.trustsec.security.group,filter\u003d\u003cnull\u003e] session\u003d[id\u003d8,client\u003dSMC,server\u003dwss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub]"}
2025-02-08 18:07:11,323 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.StompPubsubEndpoint -::::::0a3f23311137425aa726884769e2629c:- Set last activity time for session=[id=7,client=~ise-admin-avasteise271,server=wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub] from StompPubsubEndpoint, last activity time set to 1739018231323
2025-02-08 18:07:11,324 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.StompPubsubEndpoint -::::::0a3f23311137425aa726884769e2629c:- Authorized to send (cached). session=[id=7,client=~ise-admin-avasteise271,server=wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub] topic=/topic/com.cisco.ise.pxgrid.admin.log
2025-02-08 18:07:11,324 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionDistributor -::::::0a3f23311137425aa726884769e2629c:- Distribute from=[id=7,client=~ise-admin-avasteise271,server=wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub] topic=/topic/com.cisco.ise.pxgrid.admin.log content={"timestamp":1739018231322,"level":"INFO","type":"PUBSUB_SERVER_SUBSCRIBE","host":"avasteise271","client":"SMC","server":"wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub","message":"Pubsub subscribe. subscription\u003d[id\u003d0,topic\u003d/topic/com.cisco.ise.config.trustsec.security.group,filter\u003d\u003cnull\u003e] session\u003d[id\u003d8,client\u003dSMC,server\u003dwss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub]"}
2025-02-08 18:07:11,324 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionDistributor -::::::0a3f23311137425aa726884769e2629c:- Distribute distributed. subscription=[id=0,topic=/topic/com.cisco.ise.pxgrid.admin.log,filter=<null>]
2025-02-08 18:07:11,324 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionDistributor -::::::0a3f23311137425aa726884769e2629c:- Set last activity time for session=[id=7,client=~ise-admin-avasteise271,server=wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub] from SubscriptionDistributor, last acitivity time set to 1739018231324
2025-02-08 18:07:11,324 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionDistributor -::::::0a3f23311137425aa726884769e2629c:- Distribute distributed. subscription=[id=2,topic=/topic/wildcard,filter=<null>]
2025-02-08 18:07:11,324 TRACE [pxgrid-http-pool22][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionDistributor -::::::0a3f23311137425aa726884769e2629c:- Set last activity time for session=[id=0,client=~ise-fanout-avasteise271,server=wss://localhost:8910/pxgrid/ise/pubsub] from SubscriptionDistributor, last acitivity time set to 1739018231324
2025-02-08 18:07:11,324 TRACE [sub-sender-0][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionSender -::::::0a3f23311137425aa726884769e2629c:- Send. subscription=[id=2,topic=/topic/wildcard,filter=<null>] from=[id=7,client=~ise-admin-avasteise271,server=wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub] to=[id=0,client=~ise-fanout-avasteise271,server=wss://localhost:8910/pxgrid/ise/pubsub] message=[command=MESSAGE,headers=[content-length=438, trace-id=0a3f23311137425aa726884769e2629c, destination=/topic/com.cisco.ise.pxgrid.admin.log, message-id=161972],content-len=438]
2025-02-08 18:07:11,324 TRACE [sub-sender-0][[]] cpm.pxgridwebapp.ws.pubsub.SubscriptionSender -::::::0a3f23311137425aa726884769e2629c:- Complete stompframe published : {"timestamp":1739018231322,"level":"INFO","type":"PUBSUB_SERVER_SUBSCRIBE","host":"avasteise271","client":"SMC","server":"wss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub","message":"Pubsub subscribe. subscription\u003d[id\u003d0,topic\u003d/topic/com.cisco.ise.config.trustsec.security.group,filter\u003d\u003cnull\u003e] session\u003d[id\u003d8,client\u003dSMC,server\u003dwss://avasteise271.avaste.local:8910/pxgrid/ise/pubsub]"}
This produces an error message as "Connection Status; Failed Connection failed to the service. Service network address: https:isehostnameme.domain.com:891pxgridiisessxpxp cannot be resolved":
This ideally needs to be fixed on the DNS server for forward and reverse lookups for this ISE FQDN. But a temporary workaround can be added for local resolution:
1. Log in to the Stealthwatch Management Console (SMC).
2. From the main menu, select Configure > Global > Central Management.
3. On the Inventory page, click the (Ellipsis) icon for the Manager.
4. Choose Edit Appliance Configuration.
5. Network Services tab and add a local resolution entry for this ISE FQDN.
This produces an error message as "ISE is presenting a certificate that is not trusted by this Manager":
Similar log reference can be seen oSMCMsvcvisese-client.log file. Path: catlancopepe/var/logs/containesvcvisese-client.log
snasmc1 docker/svc-ise-client[1453]: java.util.concurrent.ExecutionException: javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
snasmc1 docker/svc-ise-client[1453]: at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
snasmc1 docker/svc-ise-client[1453]: at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2022)
snasmc1 docker/svc-ise-client[1453]: at org.springframework.web.socket.client.jetty.JettyWebSocketClient.lambda$doHandshakeInternal$0(JettyWebSocketClient.java:186)
snasmc1 docker/svc-ise-client[1453]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
snasmc1 docker/svc-ise-client[1453]: at java.base/java.lang.Thread.run(Thread.java:829)
snasmc1 docker/svc-ise-client[1453]: Caused by: javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
snasmc1 docker/svc-ise-client[1453]: at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(ProvSSLEngine.java:505)
snasmc1 docker/svc-ise-client[1453]: at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.ssl.SslConnection.unwrap(SslConnection.java:398)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:721)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:180)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:91)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:91)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:194)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:936)
snasmc1 docker/svc-ise-client[1453]: at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1080)
snasmc1 docker/svc-ise-client[1453]: ... 1 more
snasmc1 docker/svc-ise-client[1453]: Suppressed: javax.net.ssl.SSLHandshakeException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
1. Log in to the Stealthwatch Management Console (SMC).
2. From the main menu, select Configure > Global > Central Management.
3. On the Inventory page, click the (ellipsis) icon for the Manager.
4. Choose Edit Appliance Configuration.
5. Select the General tab.
6. Navigate to the Trust Store section and ensure that the issuer of the Pxgridid certificate of Cisco ISE is part of the Trust store.
Bug ID | Description |
Cisco bug ID 18119 | ISE is Selecting Unsupported Cipher ITLS Server Hello Packet |
Cisco bug ID 01634 | Unable to quarantine devices using EPS condition |
Revision | Publish Date | Comments |
---|---|---|
1.0 |
18-Mar-2025
|
Initial Release |