Setup procedures

Custom hosts

A custom host is a network configuration entry that

  • enables direct mapping of hostnames to IP addresses,

  • enables communication between systems when DNS is unavailable, and

  • provides a manual method for hostname resolution.

DNS is a hierarchical, distributed naming system. It translates human-readable domain names (hostnames) into IP addresses. The system uses DNS servers within the network to perform name resolution automatically. When a device needs to communicate with another device by name, it queries the DNS server, which returns the corresponding IP address. DNS servers maintain databases of hostname-to-IP mappings and can cache responses to speed up subsequent queries.

If DNS is unavailable, configure custom hosts in both Cyber Vision Center and Cisco ISE. This ensures that services can communicate.

Comparison of custom host and DNS approaches

Term

Description

Usage scenario

Custom host

Manually configure hostname to IP mapping locally (for example, in the hosts file) to resolve names.

When no DNS server is available in the network.

Domain Name System (DNS)

The DNS is a distributed system that automatically resolves hostnames to IP addresses using DNS servers.

Standard method for hostname resolution in networks.

How custom host configuration works

Summary

Custom hosts enable direct hostname-to-IP resolution. This ensures communication between Cyber Vision Center and Cisco ISE in environments without DNS servers.

The key components involved in the process are

  • Custom host file: Contains manual hostname-to-IP mappings on both systems.

  • Cyber Vision Center: Uses the custom host file to resolve ISE hostnames.

  • Cisco ISE: Uses the custom host file to resolve Cyber Vision Center hostnames.

Workflow

The process involves these stages:

  1. Check if DNS is available in your network.
  2. If DNS is not available, add a custom host mapping entry (hostname-to-IP) in the hosts file on both Cyber Vision Center and Cisco ISE.
  3. Restart the required services to apply your host configuration changes.
  4. Use hostnames to communicate. Each system looks up its hosts file for resolution.

Result

Cyber Vision Center and Cisco ISE use hostnames to communicate directly when DNS is unavailable, resolving names with the custom host configuration.

Configure a custom host in Cisco ISE

Add a host to the Cisco ISE host table when DNS is not configured correctly.

Before you begin

Ensure secure SSH access is available to the Cisco ISE host.

Procedure

Step 1

Connect to the Cisco ISE host using SSH.

ssh admin@<ise-node-ip-address>

Step 2

Enter configuration mode.

configure terminal

Step 3

Replace the address and hostname with your information to add the custom host entry.

ip host <center-ip-address> <center-FQDN>

Step 4

When prompted, restart Cisco ISE to apply the changes.

You have added the custom host entry.


Note

The IP host function may not work with Cisco ISE version 3.3. For more information, see CSCwj05508.

What to do next

Restart Cisco ISE to apply your change. After the system restarts:

  • Form the Cisco ISE main menu, choose Administration > pxGrid Services > Client Management > Clients, and verify the host appears in the pxGrid Clients list.

  • Ping the host to verify connectivity.

Configure a custom host in Cyber Vision

Add a custom host entry and restart the pxGrid agent so that Cyber Vision integrates with Cisco ISE. Use this procedure if the environment lacks proper DNS configuration.

Perform this task when you need to manually add a custom host (for example, the Cisco ISE server) to the hosts file on Cyber Vision. This step ensures that the pxgrid-agent processes the change. Typically, this is required during initial integration with Cisco ISE or after a configuration change.

Before you begin

  • Ensure you have SSH root access to the Cyber Vision Center.

  • Obtain the IP address and hostname of the Cisco ISE server to add.

  • Ping the IP address from Cyber Vision to Cisco ISE and from Cisco ISE to Cyber Vision to confirm that the two systems can communicate.

Procedure

Step 1

SSH to the Cyber Vision Center using this command:

ssh root@<center-ip-address>

Step 2

Add the custom host entry by running:

echo "<ise-ip-address> ise.corp.sentryo.net" >> /etc/hosts

The pxgrid-agent restarts automatically. Cyber Vision successfully communicates with Cisco ISE.

What to do next

  • Approve the Cyber Vision integration request in Cisco ISE.

  • From the Cyber Vision main menu, choose Admin > Integrations > pxGrid/ISE and see Pull service status and Push service status, to verify Cyber Vision's integration status with Cisco ISE.

How Cisco ISE and Cyber Vision integration via pxGrid works

Summary

The integration of Cisco Identity Services Engine (ISE) with Cisco Cyber Vision using pxGrid enhances network security by providing detailed device visibility for improved profiling and dynamic policy enforcement.

The key components involved in the process are:

  • Cyber Vision: Collects and sends detailed asset and device attribute data to Cisco ISE.

  • pxGrid connection: Provides secure, real-time data exchange between Cisco ISE and Cyber Vision.

  • Cisco ISE: Receives, processes, and uses device attribute data for network access decisions.

Workflow

The integration workflow involves these sequential stages:

  1. Prepare Cisco ISE for pxGrid integration
    • Enable Cisco ISE to accept data from pxGrid partners.
    • Configure certificate management to enable secure communication. Use self-signed or external certificates as required.
      • Self-signed certificate: A self-signed certificate is a digital certificate signed by the same entity that creates it, not by an external Certificate Authority (CA). Cisco ISE generates a self-signed certificate during installation, which is used for admin access, inter-node HTTPS communication, and user authentication. For more information, see Generate a client certificate in Cisco ISE.
      • External certificate authority (CA): Certificates are issued and signed by a trusted third-party CA. This provides higher security and easier integration across multiple systems. If you want to use an external certificate authority instead of a self-signed certificate, see How external certificate authorities enable secure pxGrid integration.
  2. Register and configure Cyber Vision as a pxGrid client
    • Set up Cyber Vision as a pxGrid client.
    • Ensure Cyber Vision uses trusted certificates for authentication.
  3. Establish pxGrid secure connectivity
    • Create a secure pxGrid connection between Cisco ISE and Cyber Vision.
    • Validate certificate trust on both systems to ensure a trusted and encrypted data exchange.
  4. Enable pxGrid communication mechanism
    • In Push Mode, Cyber Vision initiates a connection to Cisco ISE (port 8910) and pushes asset data.
    • In Pull Mode, Cisco ISE connects to Cyber Vision (using its FQDN on port 8910) and pulls asset data. Ensure Cyber Vision’s certificate is imported into Cisco ISE for secure access.
  5. MAC aggregation in Cyber Vision
    • Cyber Vision consolidates components that share the same MAC address into a single endpoint.
    • Aggregated endpoint records contain merged properties, such as IP addresses and protocols.
    • Cyber Vision sends a maximum of two aggregated components per MAC address to Cisco ISE to prevent duplication.
  6. Data exchange and endpoint profiling
    • Cisco ISE receives detailed device and asset attribute data from Cyber Vision through pxGrid.
    • Cisco ISE processes this data to create or update endpoint profiling policies and improve policy enforcement.

Result

Cisco ISE automatically adjusts endpoint profiling and policy enforcement using up-to-date device information from Cisco Cyber Vision. This enhances security and operational efficiency.

Enable pxGrid on Cisco ISE node

Enable pxGrid services on the primary administration node in Cisco ISE to integrate your system with external platforms.

Complete this task during initial setup or when you update Cisco ISE nodes to integrate with external platforms that require pxGrid communication. The primary administration node provides certificates for integration.

Before you begin

You must have Super Admin or System Admin privileges.

Procedure

Step 1

Log into your Cisco ISE primary administration node web UI.

Step 2

From the Cisco ISE main menu, choose Administration > System > Deployment.

Step 3

Select the primary administration node and open the Edit menu.

  1. In General Settings, enable pxGrid and save your changes.

  2. In Profiling Configuration, enable pxGrid and save.

Step 4

From the Cisco ISE main menu, choose Administration > pxGrid Services > Summary.

Step 5

In Settings, select both Automatically approve new certificate-based accounts and Allow password based account creation.

Step 6

Click Save.

You have enabled pxGrid on the Cisco ISE primary administration node. You can now integrate it with external systems through certificate-based or password-based accounts.

What to do next

To verify that pxGrid is active, use one of these methods:

  • Use the this CLI command:

    show application status ise

  • From the Cisco ISE main menu, choose Administration > pxGrid Services > Summary.

Create custom attributes in Cisco ISE

Define custom attributes in Cisco ISE to enable identification and management of endpoint components.

Perform this task when integrating Cisco ISE with Cyber Vision. Defining custom attributes allows Cisco ISE to receive and process component data from Cyber Vision, supporting accurate profiling and policy enforcement. For a mapping between Cyber Vision properties and Cisco ISE attributes, see Mapping Cyber Vision properties to Cisco ISE attributes.

Procedure

Step 1

From the Cisco ISE main menu, choose Administration > Identity Management > Settings > Endpoint Custom Attributes.

Step 2

Click the plus sign to create a new custom attribute.

Step 3

Define a new custom attribute:

  1. Enter the Attribute Name.

  2. Select the Type as String.

Step 4

Click Save.

After you complete these steps, Cisco ISE assigns Cyber Vision properties to the custom attributes.

Configure profiling settings

Configure the profiling settings to control device profiling enforcement.

Profiling settings allow you to define options for how connected devices are identified and managed in your network. Adjusting these options helps align profiling behavior with your organization's security and operational requirements.

Procedure

Step 1

From the main menu, choose Administration > System > Settings > Profiling.

Step 2

Set the CoA Type to Reauth.

Step 3

Enable the Custom Attribute for Profiling Enforcement and Profiling for MUD options.

Step 4

Save your changes.

Profiling settings are now updated and enforced according to your selections.

Create Cisco ISE profiling policies for custom attributes

Create profiling policies in Cisco ISE for each custom attribute so asset information is automatically updated when Cyber Vision sends new data.

Cisco ISE can automatically maintain up-to-date device attribute information received from Cyber Vision. Associating custom attributes with profiling policies streamlines asset tracking, ensures accurate device inventories, and supports security compliance as your network evolves.

Before you begin

Define all necessary custom attributes in Cisco ISE.

Procedure

Step 1

From the Cisco ISE main menu, choose Work Centers > Profiler > Profiling Policies, then click Add.

  1. Enter a profiling policy name.

    Note

     

    The space character is not supported in the policy name field.

  2. Check the Policy Enabled check box to enable the policy.

  3. Set Minimum Certainty Factor to 10.

  4. Set the Exception Action and the Network Scan (NMAP) Action to None.

  5. Select No, use existing Identity Group hierarchy for Create an Identity Group for the policy.

  6. Select None for Parent Policy.

  7. Select Global Settings for Associated CoA Type.

Step 2

In the Rules area, click Conditions and select Create New Condition (Advance Option).

Step 3

Select CUSTOMATTRIBUTE as the attribute.

Step 4

In the CUSTOMATTRIBUTE list, select the relevant custom attribute (for example, assetGroup).

Step 5

Select CONTAINS from the operator list and enter the required value (for example, CCV).

Use the CONTAINS or STARTSWITH operator to add rules for other custom attributes as needed.

When you create a profiling policy for each custom attribute, Cisco ISE automatically updates the attribute value whenever Cyber Vision sends new endpoints.

What to do next

  • Monitor the policy to confirm that the attribute values update as expected.

  • Revisit and adjust policy rules when you add new custom attributes.

Generate a client certificate in Cisco ISE

Generate a client certificate in Cisco ISE. This certificate provides secure client authentication and enables integration with pxGrid or other client-based services.

Use this task when a system or application requires a client certificate issued directly by Cisco ISE to enable identity or secure communication. Generate this certificate for client authentication, especially when the pxGrid service relies on an ISE self-signed certificate.

Before you begin

Have these details ready for the Subject Alternative Name (SAN) field:

  • IP Address: It is the Cyber Vision Center's IP address

  • FQDN: It is the Subject Name availble under Admin > Integrations > pxGrid/ISE in the Cyber Vision main menu.

Procedure

Step 1

From the Cisco ISE main menu, choose Administration > pxGrid Services > Client Management > Certificates.

Step 2

From the I want to list, select Generate a single certificate (without a certificate signing request).

Step 3

Enter the Common Name (CN) for the certificate.

Note

 

Use hyphens or underscore instead of spaces.

Step 4

Enter a Description for the certificate.

Step 5

In the Subject Alternative Name (SAN) section, select IP Address or FQDN, then enter the corresponding value.

Step 6

Select the desired option in the Certificate Download Format list.

Step 7

Enter and confirm a Certificate Password.

Step 8

Click Create to generate and download the certificate as a zip file to your local system.

Step 9

Extract the files from the downloaded zip folder to access your certificate.

You can use the generated client certificate for secure authentication with pxGrid or other services in Cisco ISE.

What to do next

  • Import the certificate as required into the client or service that will use it for authentication.

  • Store the certificate and password securely for future use.

Add custom properties in Cyber Vision

Add custom properties for devices in Cyber Vision to enable integration with Cisco ISE.

Custom properties are used by Cisco ISE for asset identification and policy enforcement, enabling enhanced security and policy application.

Before you begin

  • Ensure you know which devices require custom properties.

  • (Optional) To add custom properties programmatically, use the Cyber Vision API v3. The API route /api/3.0/CustomProperties/{object}/{id}/usersProperties allows you to add properties to a component, group, or device. For more information, see API documentation.

Procedure

Step 1

From the Cyber Vision main menu, choose Explore.

Step 2

Select the relevant preset and then select the Device list view.

Step 3

Select the device to which you want to add custom properties.

Step 4

Edit the device drawer. To make additional changes, access the technical sheet from the device drawer.

Step 5

Add the required Custom properties and Custom name fields.

Step 6

Click Close to save your changes.

The new custom properties appear for the selected device in Cyber Vision and are ready for use in Cisco ISE for policy enforcement.

What to do next

Verify that the properties appear on your device.

Configure pxGrid integration and generate a client certificate in Cyber Vision

Generate and download a client certificate in Cyber Vision to enable integration with Cisco ISE.

Before you begin

Generate a client certificate in Cisco ISE for use in Cyber Vision.

Procedure

Step 1

From the Cyber Vision main menu, choose Admin > Integrations > pxGrid/ISE.

Step 2

Enter the Node Name, Host Name, and IP Address.

Step 3

Click Import PxGrid certificate to upload the client certificate that was generated in Cisco ISE, and provide the certificate password.

Step 4

In the Custom attributes to sync to ISE section, select up to four custom properties to send to Cisco ISE.

Step 5

Select the networks that you want to associate with this pxGrid configuration.

Step 6

Save the settings.

Step 7

Click Download certificate to download the client certificate that Cyber Vision generates.

You have generated and downloaded the client certificate for use with Cisco ISE.

What to do next

Import the Cyber Vision client certificate into Cisco ISE to enable trust for authentication.

Import Cyber Vision certificate into Cisco ISE

Establish a trust relationship between Cisco ISE and Cyber Vision by importing the Cyber Vision client certificate and enabling trust for authentication.

Importing the Cyber Vision client certificate ensures that network devices and identities validated by Cyber Vision can be authenticated in Cisco ISE.

Before you begin

Obtain the Cyber Vision client certificate.

Procedure

Step 1

From the Cisco ISE main menu, choose Administration > System > Certificates > Certificate Management > Trusted Certificates.

Step 2

Click Import.

Step 3

Select and upload the Cyber Vision client certificate.

Step 4

Enter a descriptive name for the certificate.

Step 5

Enable Trust for authentication within ISE so that Cisco ISE uses the certificate for authentication.

Step 6

Click Save.

Cisco ISE adds the Cyber Vision client certificate to the trusted certificates list and uses it for authentication.

What to do next

Validate that Cisco ISE authenticates devices and communications that use the new trusted certificate.

Approve Cyber Vision requests in Cisco ISE

Approve pending Cyber Vision client requests in the Cisco ISE Admin console.

Use this procedure when a Cyber Vision client requests network access through Cisco ISE.

Procedure

Step 1

From the Cisco ISE main menu, choose Administration > pxGrid Services > Client Management.

Step 2

Select the Cyber Vision client to approve.

Step 3

Click Approve.

The Cyber Vision client request is approved, allowing network access through Cisco ISE.

Verify the Cyber Vision deployment status in Cisco ISE using the pxGrid node

Ensure that the Cyber Vision deployment is operational by confirming the status of the pxGrid node in Cisco ISE.

Verifying the pxGrid node status confirms that the Cyber Vision integration with Cisco ISE is functioning as expected. Perform this task after deploying Cyber Vision or to troubleshoot connectivity issues.

Before you begin

Enable the pxGrid service on your Cisco ISE deployment.

Procedure

Step 1

From the Cisco ISE main menu, choose Administration > pxGrid Services > Client Management > pxGrid Clients.

Step 2

In the Status column, verify that the Cyber Vision status for the pxGrid node is Enabled.

The pxGrid node’s status confirms whether the Cyber Vision deployment is operational and integrated as expected.

What to do next

If you see a problem with the status, check the pxGrid configuration or system logs for both systems to find and fix the issue.

How external certificate authorities enable secure pxGrid integration

Summary

You can use external certificate authorities to secure communication between Cisco ISE and Cyber Vision through pxGrid. These certificates, trusted by both Cisco ISE and Cyber Vision, enhance security and trust.

The key components involved in the process are:

  • External certificate authority (CA): Issues trusted root and server certificates to replace default self-signed certificates.

  • Cisco ISE: Generates certificate requests, imports CA certificates, and binds signed certificates for pxGrid service authentication.

  • Cyber Vision: Connects to Cisco ISE using the certificates for secure, authenticated pxGrid communication.

Workflow

The process involves these stages:

  1. Import the root CA certificate from the external CA into Cisco ISE to establish trust.
  2. Generate a Certificate Signing Request (CSR) in Cisco ISE for the pxGrid service.
  3. Submit the CSR to the external CA (such as Microsoft Active Directory Certificate Services) to obtain a signed web and server certificate.
  4. Bind the signed certificate to the CSR in Cisco ISE.
  5. Activate pxGrid services in Cisco ISE to use the new certificates.
  6. Integrate pxGrid with Cyber Vision to establish secure communication using the trusted certificates.

Result

Once you complete these steps, pxGrid communication between Cisco ISE and Cyber Vision is secured with certificates from a trusted external CA, providing authentication, trust, and protection against unauthorized access.

Import a root CA certificate

Import a root Certificate Authority (CA) certificate to ensure your system trusts entities signed by this CA.

Many secure services, such as HTTPS and device authentication, require your system to trust the issuing CA. Without the correct root certificate, secure connections may fail or generate security warnings.

Before you begin

  • Obtain the root CA certificate file from your Certificate Authority (CA) server and save it to your local machine.

Procedure

Step 1

From the Cisco ISE main menu, choose Administration > System > Certificates > Trusted Certificates.

Step 2

Click Import.

Step 3

Select Choose File and locate the root CA certificate file on your system.

Step 4

(Optional) Enter a descriptive friendly name for this certificate.

Step 5

Click Submit to complete the import process.

The root CA certificate is added to the trusted certificates list, allowing your system to trust and communicate securely with devices or services signed by this CA.

What to do next

Verify that the new certificate appears in your trusted certificates list. Then perform any required connectivity or security checks.

Create a certificate signing request

Generate a certificate signing request (CSR) so your system nodes can receive trusted certificates from a certificate authority.

Use this task when integrating external services like pxGrid, or when you need to renew expiring certificates for your system nodes.

Before you begin

Identify the nodes that require CSRs.

Procedure

Step 1

From the Cisco ISE main menu, choose Administration > System > Certificates > Certificate Signing Requests.

Step 2

Click Generate Certificate Signing Request (CSR).

Step 3

In the Usage field, select pxGrid.

Step 4

In the Node(s) section, select nodes that you want to generate the CSR for.

Step 5

(Optional) Enter the certificate subject details: Common Name (CN), Organizational Unit (OU), Organization (O), City (L), State (ST), and Country (C).

Step 6

(Optional) Enter a Subject Alternative Name (SAN), if required.

Step 7

Click Generate to create the CSR.

Step 8

Click Export to download the generated CSR file.

The system generates the CSR file and downloads it.

What to do next

Submit the CSR file to a trusted certificate authority to obtain a signed certificate.

Generate web and server certificates from a CA

Obtain web and server certificates required for secure communications by submitting a certificate signing request (CSR) and downloading the issued certificate from a certificate authority (CA).

This task uses the Microsoft Active Directory Certificate Services as an example of an external CA. Perform this task to add security to servers or web applications within an organization.

Before you begin

  • Make sure you have access to the Microsoft Active Directory Certificate Services server web portal.

  • Ensure you have generated and downloaded a certificate signing request (CSR).

Procedure

Step 1

On the Microsoft Active Directory Certificate Services server, go to http://localhost/certsrv/.

Step 2

Click Request a certificate.

Step 3

Click advanced certificate request.

Step 4

Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Step 5

In the Base-64-encoded certificate request (CMC, PKCS #10, or PKCS #7) field, enter the text from the downloaded certificate signing request file.

Step 6

From the Certificate Template list, choose Web Client and Server.

Step 7

Click Submit.

Step 8

In the Certificate Issued page that is displayed, click Download certificate.

The web and server certificate is generated and downloaded, ready for installation on your server or web application.

What to do next

Bind the downloaded certificate on your server or application. Store the certificate and any associated private keys securely.

Bind a certificate to a CSR in Cisco ISE

Complete the certificate installation required for secure communications with Cyber Vision.

When integrating Cisco ISE with Cyber Vision, you must bind the downloaded certificate to the matching CSR to ensure proper security and trust.

Before you begin

  • Ensure you have already generated a CSR in Cisco ISE for Cyber Vision.

  • Download the signed certificate from your CA.

Procedure

Step 1

From the Cisco ISE main menu, choose Administration > System > Certificates > Certificate Signing Request.

Step 2

Select the CSR you generated for the Cyber Vision connection.

Step 3

Select Bind Certificate.

Step 4

Click Browse and choose the downloaded certificate file from your CA.

Step 5

Click Submit.

Step 6

If a certificate warning appears, select Yes to continue.

The certificate is now bound to the CSR. Use Cisco ISE to ensure secure communications with Cyber Vision.

What to do next

Activate pxGrid Services. See Enable pxGrid on Cisco ISE.

Integrate pxGrid with Cyber Vision

Integrate Cisco pxGrid with Cyber Vision to enable secure, automated sharing of context information and policy between network systems.

Use this task when you need to configure Cyber Vision to communicate with Cisco pxGrid for enhanced device visibility and policy management. This integration is essential for organizations using pxGrid-compatible devices to streamline security operations.

Before you begin

Obtain a PFX (Windows) certificate or a P12 certificate from your Certificate Authority (CA). If you have only a PFX certificate, export it from the CA computer and convert it to P12 format.

Procedure

Step 1

From the Cyber Vision main menu, choose Admin > Integrations > pxGrid.

Step 2

Enter the Node Name.

Step 3

Enter the Host Name.

Step 4

Enter the IP Address.

Step 5

Click Import pxGrid certificate, then select and upload the generated certificate file in P12 format.

Step 6

Enter the password for the P12 certificate.

Step 7

Select the networks that you want to integrate by checking the relevant checkboxes.

Step 8

Click Save to complete the integration.

You have integrated Cisco pxGrid with Cyber Vision. This integration lets you securely share network and security information between the platforms.

What to do next

Validate the integration by testing device communication and pxGrid features.