User Control with the pxGrid Cloud Identity Source

The following topics discuss how to configure and use the pxGrid Cloud Identity Source.

About the pxGrid Cloud Identity Source

The Cisco Identity Services Engine (Cisco ISE) pxGrid Cloud Identity Source enables you to use subscription and user data from Cisco ISE in Cloud-Delivered Firewall Management Center access control rules. Also, the identity source uses constantly changing dynamic objects from Cisco ISE in access control policies in the Cloud-Delivered Firewall Management Center.

The pxGrid cloud identity source also uses:

  • The Cisco Platform Exchange Grid (pxGrid), which enables multivendor, cross-platform network system collaboration in things like security monitoring and detection systems, network policy platforms, asset and configuration management, identity, and access management. pxGrid Cloud is the cloud-based interface to Cisco ISE.

    More information about pxGrid can be found in resources such as What is PxGrid? on devnet.

  • The Cisco Digital Network Architecture (Cisco DNA) delivers automation, security, predictive monitoring, and a policy-driven approach. It provides end-to-end network visibility and uses network insights to optimize network performance and deliver the best user and application experience.

    To use the pxGrid cloud identity source with the Cisco Security Cloud Control, you must Create a Cisco Account.

Prerequisites

  • ISE-PIC is not supported

  • Cisco ISE 3.1 patch 3 and all later patches and versions

Limitations of the pxGrid Cloud Identity Source

Before you set up the pxGrid cloud identity source, note the following:

  • pxGrid Cloud supports only the us-west-2 region.

How the pxGrid Cloud Identity SourceWorks

The following figure shows how the identity source works.

The pxGrid Cloud Identity Source retrieves user information from Cisco ISE and sends the information to the Cloud-Delivered Firewall Management Center

Your Cloud-Delivered Firewall Management Center uses the pxGrid Cloud SDK to programmatically retrieve user information from an on-premises Cisco ISE server so these users can be used in identity policies on the Cloud-Delivered Firewall Management Center.

To authorize and authenticate this data exchange, you must:

  1. In Cisco ISE, enable the use of pxGrid Cloud.

  2. Register Cisco ISE as a product in pxGrid Cloud, which authenticates Cisco ISE and pxGrid Cloud and enables them to communicate with each other.

    The authentication process requires you to paste a one-time password (OTP) from pxGrid Cloud into Cisco ISE.

  3. In pxGrid Cloud, create an "app instance" that generates an OTP for you to use in the Cloud-Delivered Firewall Management Center to authenticate the two with each other.

  4. After completing all the preceding tasks, the Cloud-Delivered Firewall Management Center (which includes the pxGrid Cloud SDK) can query Cisco ISE using pxGrid Cloud and retrieve sessions containing user information.

  5. Many types of dynamic objects can be filtered and sent to the Cloud-Delivered Firewall Management Center as dynamic objects to be used in access control rules. These include: SGT, endpoint profile, posture status, and machine authentication.

    We retrieve user information from Cisco ISE and group information from either Microsoft Active Directory or Azure Active Directory.

Enable the pxGrid Cloud Service in Cisco ISE

Before you begin

  • Ensure that you install and activate the Advantage license tier in your Cisco ISE deployment.

  • The pxGrid Cloud agent creates an outbound HTTPS connection to Cisco pxGrid Cloud. Therefore, you must configure Cisco ISE proxy settings if the customer network uses a proxy to reach the internet. To configure proxy settings in Cisco ISE, click the Menu icon () and choose Administration > System > Settings > Proxy.

  • The Cisco ISE Trusted Certificates Store must include the root CA certificate required to validate the server certificate presented by Cisco pxGrid Cloud. Ensure that the Trust for Authentication of Cisco Services option is enabled for this root CA certificate. To enable Trust for Authentication of Cisco Services, navigate to Administration > System > Certificates.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Deployment.

Step 2

Click the node on which you want to enable the pxGrid Cloud service.

Step 3

In the General Settings tab, enable the pxGrid service.

Step 4

Check the Enable pxGrid Cloud check box.

The pxGrid Cloud service can be enabled on two nodes to enable high availability.

Note

 

You can enable the pxGrid Cloud option only when the pxGrid service is enabled on that node.

Register Cisco ISE with the Catalyst Cloud Portal

This task discusses how to register Cisco ISE as an app in the Catalyst Cloud Portal and to authenticate communication between the Catalyst Cloud Portal and Cisco ISE.

Also refer to Register Cisco ISE in the pxGrid Cloud Solution Guide.

Procedure

Step 1

Log in to the Cisco Cloud Catalyst Portal.

Step 2

If prompted, choose an account to use.

Step 3

Click Register.

Step 4

In the Catalyst Cloud Portal, click > Applications and Products as the following figure shows:

In the Cisco DNA Portal, go to Applications and Products

Step 5

At the top of the page, click Products.

Step 6

From the Region list, click us-west-2, as the following figure shows.

In the Cisco DNA Portal, click us-west-2

Note

 

us-west-2 is the only supported region at this time.

Step 7

Click Register.

The following figure shows a sample registration page.

Register the Cisco ISE product by entering its fully qualified domain name or IP address in the provided field

Step 8

Enter the following information.

  • Host Name/IP: (Optional.) Enter the ISE server's fully qualified domain name or IP address. If you enter an IP address, omit the scheme (for example, https:// ) and the port, if any.

  • Product Name: Enter a unique name to identify this server.

  • Type: From the list, click Cisco ISE.

  • Description: Enter an optional description.

Step 9

Click Register.

Step 10

Generate a one-time password (OTP) in any of the following ways:

  • If you've previously registered ISE apps and see yours listed, click Generate OTP in the Actions column; you'll need it in the next part of this procedure.

  • If you're registering your app now, the OTP is displayed. Click to copy it to the clipboard; you'll need it in the next part of this procedure.

What to do next

See Register the pxGrid Cloud Connection with Cisco ISE.

Register the pxGrid Cloud Connection with Cisco ISE

This task discusses how to register the pxGrid Cloud connection with Cisco ISE, which enables pxGrid Cloud to send user data to the pxGrid cloud identity source in Cisco Security Cloud Control.

Before you begin

Complete the tasks discussed in Register Cisco ISE with the Catalyst Cloud Portal.

Procedure

Step 1

Log in to Cisco ISE as an administrator.

Step 2

Click > Administration > pxGrid Services > Client Management > pxGrid Cloud Connection.

Step 3

Make sure all services are enabled with read/write privileges.

Step 4

In the left navigation bar, click pxGrid Cloud Connection.

Step 5

Click Setup Connection as the following figure shows.

Click Setup Connection and enter the one-time password (OTP) you obtained earlier

Step 6

Paste the OTP value in the provided field.

Step 7

Click Connect.

A green check mark like the following confirms that connection was successful.

A green check mark indicates the connection was successful

Step 8

Confirm the setup has been successful so far:

  1. Log in to the Catalyst Cloud Portal.

  2. Click the Products tab.

  3. Click Refresh as the following figure shows.

    In the Cisco DNA Portal, refresh the display to make sure the registration was successful

  4. Verify that Registered is displayed as the status of your product.

What to do next

Continue with Create the Identity Source.

Create and Subscribe to the Firewall Management Center Application

This topic discusses how to register Cisco ISE with the pxGrid cloud identity source and activate your Firewall Management Center application with the Cisco ISE product. You can subscribe to ISE's Session Directory subscriptions and enable the Cloud-Delivered Firewall Management Center to get user data for user control.

Before you begin

You must have already performed this task: Register the pxGrid Cloud Connection with Cisco ISE.

Procedure

Step 1

Log in to the Cisco Catalyst Cloud Portal.

Step 2

Click Applications.

Step 3

Click Firewall Management Center, then click Activate (or Manage).

The following figure shows an example.

In the Cisco DNA Portal, activate the Firewall Management Center application

Step 4

Accept the agreement and click Subscribe.

After subscribing, you must copy the provided OTP to the clipboard and use it in 60 minutes or less to complete the next step in this process.

What to do next

Create a pxGrid Cloud Identity Source

Create a pxGrid Cloud Identity Source

The following tasks discuss how to create a pxGrid cloud identity source using Cisco ISE, the Catalyst Cloud Portal, and Cisco Security Cloud Control. You must complete all tasks in the order shown; in some cases, there is a time limit due to the expiration of a required One-Time Password (OTP).

Create an App Instance

This task is one of several tasks you must perform to create a a pxGrid cloud identity source to send user session data to the Cloud-Delivered Firewall Management Center.

There is a one-hour time limit on the one-time password (OTP) required to complete this procedure successfully. You do not need to log in to Cisco ISE.

Before you begin

Complete all of the following tasks first:

Procedure

Step 1

Log in to the Cisco Catalyst Cloud Portal.

Step 2

In the Catalyst Cloud Portal, click > Applications and Products as the following figure shows:

In the Cisco DNA Portal, go to Applications and Products

Step 3

At the top of the page, click Applications.

Step 4

From the Regions list, click us-west-2.

Step 5

Click Manage (or Activate) next to Firepower Management Center.

Step 6

Click Add.

Step 7

Click Create a New One.

The following figure shows an example.

Create a new application instance

Step 8

Click the copy button next to the displayed OTP as the following figure shows:

Get the one-time password (OTP) for the application instance

Step 9

Copy the OTP to a text file; it expires in 60 minutes.

Step 10

Continue with Create the Identity Source.

Create the Identity Source

This task is one of several required to create a pxGrid cloud identity source to send user session data to the Cloud-Delivered Firewall Management Center.

Before you begin

Complete the task discussed in Create an App Instance.

Procedure

Step 1

Log in to Cisco Security Cloud Control as a user with the Super Admin role.

Step 2

Click Policies > Threat Defense > Integration > Other Integrations > Identity Sources

Step 3

Click Identity Services Engine (pxGrid Cloud).

Step 4

Click Create pxGrid Application Instance.

The following figure shows an example.

Enter the required information, including the OTP, to create a pxGrid App Instance

Step 5

Enter the following information.

Value

Description

Name

Enter a name to uniquely identify this connector.

Description

Optional description.

OTP (One-Time Password)

Enter the OTP.

Step 6

Click Create.

Step 7

At the top of the page, click Save.

Step 8

Continue with Activate the App Instance.

Activate the App Instance

This task discusses how to create a pxGrid cloud identity source to send user session data to the Cloud-Delivered Firewall Management Center.

There is a one-hour time limit on the one-time password (OTP) required to complete this procedure successfully. You do not need to log in to Cisco ISE.

Before you begin

Complete the task discussed in Create the Identity Source.

Procedure

Step 1

Log in to the Cisco Catalyst Cloud Portal.

Step 2

Reverify the app by clicking the word here as the following figure shows.

Step 3

Click the name of the application instance you just created in Cloud-Delivered Firewall Management Center.

Step 4

Click Next.

Example:

Step 5

On the Choose Product page, click the name of the Cisco ISE product and click Next.

Example:

Step 6

Select the check box next to each scope.

The following figure shows an example.

Step 7

Click Next.

Step 8

Review the displayed information for accuracy. Make sure all scopes are selected.

Step 9

Click Activate.

It can take several minutes for the app instance to be activated.

Verify It's Working

This task discusses how to create a pxGrid cloud identity source to send user session data to the Cloud-Delivered Firewall Management Center.

There is a one-hour time limit on the one-time password (OTP) required to complete this procedure successfully. To do that, you must log in to both Cloud-Delivered Firewall Management Center and the Catalyst Cloud Portal at the same time. You do not need to log in to Cisco ISE.

Before you begin

Complete the tasks discussed in Activate the App Instance.

Procedure

Step 1

Log in to Cisco Security Cloud Control as a user with the Super Admin role.

Step 2

Click Policies > Threat Defense > Integration > Other Integrations > Identity Sources.

Step 3

Click Integration > Other Integrations > Identity Sources

Step 4

Click Identity Services Engine (pxGrid Cloud).

Step 5

Wait a few minutes for the identity source to be activated then click Refresh.

Step 6

After the identity source has been activated, click Save.

What to do next

Complete the following tasks:

  • Create dynamic attributes filters, which define what dynamic objects are sent to the Cloud-Delivered Firewall Management Center.

    For more information, see Create Dynamic Attributes Filters.

Configure the pxGrid Cloud Identity Source

This topic discusses how to set configuration options for the pxGrid cloud identity source.

Procedure

Step 1

Log in to Cisco Security Cloud Control as a user with the Super Admin role.

Step 2

Click Policies > Threat Defense > Integration > Other Integrations > Identity Sources.

Step 3

Click Integration > Other Integrations > Identity Sources

Step 4

Click Identity Services Engine (pxGrid Cloud).

Step 5

In the Settings section, set the following options:

ISE Network Filter

An optional filter you can set to restrict the data that ISE reports to the Cloud-Delivered Firewall Management Center. If you provide a network filter, ISE reports data from the networks within that filter. You can specify a filter in the following ways:

  • Leave the field blank to specify any.

  • Enter a single IPv4 address block using CIDR notation.

  • Enter a list of IPv4 address blocks using CIDR notation, separated by commas.

Note

 

This version of the system does not support filtering using IPv6 addresses, regardless of your ISE version.

Subscribe to:
Session Directory Topic: Check this box to subscribe to user session information from the ISE server. Includes SGT and endpoint metadata.
SXP Topic: Check this box to subscribe to SXP mappings from the ISE server.

Create Dynamic Attributes Filters

Dynamic attributes filters that you define using the Cisco Secure Dynamic Attributes Connector are exposed in the Security Cloud Control as dynamic objects that can be used in access control policies. For example, restrict access to an AWS server for the Finance Department to only members of the Finance group defined in Microsoft Active Directory.


Note

You cannot create dynamic attributes filters for AWS, Azure, Azure Service Tags, Cisco Multicloud Defense, Generic Text, GitHub, Google Cloud, and Outlook 365, pxGrid cloud identity source, vCenter, Webex, and Zoom). These types of cloud objects provide their own IP addresses.

For more information about access control rules, see Create Access Control Rules Using Dynamic Attributes Filters.

Before you begin

Create a Connector

Procedure

Step 1

Click Administration > Dynamic Attributes Connector.

Step 2

Click Dynamic Attributes Filters.

  • Add a new filter: click Add (add icon).

  • Edit or delete a filter: Click More (more icon), then click Edit or Delete at the end of the row.

Step 3

Enter the following information.

Item

Description

Name

Unique name to identify the dynamic filter (as a dynamic object) in a policy and in the Security Cloud Control Object Manager (External Attributes > Dynamic Object).

Connector

From the list, click the name of a connector to use.

Query

Click Add add icon.

Step 4

To add or edit a query, enter the following information.

Item Description

Key

 Click a key from the list. Keys are fetched from the connector.

Operation

 Click one of the following:

  • Equals to exactly match the key to the value.

  • Contains to match the key to the value if any part of the value matches.

Values

 Click either Any or All and click one or more values from the list. Click Add another value to add values to your query.

Step 5

Click Show Preview to display a list of networks or IP addresses returned by your query.

Step 6

When you're finished, click Save.

Step 7

(Optional.) Verify the dynamic object in the Security Cloud Control.

  1. Log in to the Security Cloud Control.

  2. Click Manage > Policies > Firewall Threat Defense.

  3. Click Objects > Object Management > External Attributes > Dynamic Object.

    The dynamic attribute query you created should be displayed as a dynamic object.

Create Access Control Rules Using Dynamic Attributes Filters

This topic discusses how to create access control rules using dynamic objects (these dynamic objects are named after the dynamic attributes filters you created previously).

Before you begin

Create dynamic attributes filters as discussed in Create Dynamic Attributes Filters.


Note

You cannot create dynamic attributes filters for AWS, Azure, Azure Service Tags, Cisco Multicloud Defense, Generic Text, GitHub, Google Cloud, and Outlook 365, pxGrid cloud identity source, vCenter, Webex, and Zoom). These types of cloud objects provide their own IP addresses.

Procedure

Step 1

Log in to Cisco Security Cloud Control as a user with the Super Admin role.

Step 2

Click Firewall.

Step 3

Click Administration > Dynamic Attributes Connector > Connectors.

Step 4

Click Manage > Policies > Firewall Threat Defense > Access Control heading > Access Control.

Step 5

Click Edit (edit icon) next to an access control policy.

Step 6

Click Add Rule.

Step 7

Click the Dynamic Attributes tab.

Step 8

In the Available Attributes section, from the list, click Dynamic Objects.

The following figure shows an example.

Configure Dynamic Attributes created using the dynamic attributes connector as dynamic objects in access control rules. Use those exactly as you would network objects.

The preceding example shows a dynamic object named APIC Dynamic Attribute that corresponds to the dynamic attribute filter created in the Cisco Secure Dynamic Attributes Connector.

Step 9

Add the desired object to source or destination attributes.

Step 10

Add other conditions to the rule if desired.

What to do next

See Dynamic Attributes Rule Conditions.

History for the pxGrid Cloud Identity Source

Feature

Minimum Secure Firewall Threat Defense Version

Details

pxGrid Cloud Identity Source.

November 8, 2024

The Cisco Identity Services Engine (Cisco ISE) pxGrid Cloud Identity Source enables you to use subscription and user data from Cisco ISE in Cloud-Delivered Firewall Management Center access control rules. Also, the identity source uses constantly changing dynamic objects from Cisco ISE in access control policies in the Cloud-Delivered Firewall Management Center.

New/updated screens: Integration > Other Integrations > Identity Sources > Identity Services Engine (pxGrid Cloud).

See: User Control with the pxGrid Cloud Identity Source