Integrate Cisco Cyber Vision and Cisco Identity Services Engine (ISE) through Cisco ISE API

This chapter provides instructions to establish Cisco Cyber Vision and Cisco Identity Services Engine (ISE) Integration through Cisco ISE API.

Supported releases

Ensure that your Cisco Cyber Vision and Cisco ISE run the following release versions:

  • Cisco Cyber Vision release 5.5.0 and later

  • Cisco ISE release 3.3 and later

Prerequisites

Activate Cisco ISE APIs

You must activate the Cisco ISE APIs to synchronize data continuously from Cisco Cyber Vision to Cisco ISE.

Use these steps to activate Cisco ISE APIs:

Procedure

Step 1

Log in to your Cisco ISE primary administration node web UI.

Step 2

Click the menu icon at the top left corner and choose Administration.

Step 3

Under System, click Settings.

Step 4

From the left navigation, click API Settings and navigate to the API Service Settings tab.

Step 5

Under API Service Settings, click the toggle button to enable the API settings and activate the Cisco ISE APIs.

Export the ISE system certificates

To establish secure communication between Cisco Cyber Vision and Cisco ISE, you must export the system certificate from Cisco ISE and import it into Cisco Cyber Vision. For additional details on Cisco ISE system certificates, refer to System Certificates in Cisco Identity Services Engine Administrator Guide.


Note

If the Cisco ISE uses a certificate signed by an External Certificate Authority (CA), you do not need to export the Cisco ISE system certificate. Instead, download the root CA certificate (.pem file format) from your Certificate Authority and import that file directly into Cisco Cyber Vision under Admin > Integrations > ISE - API.

For information on how to import system certificate or root CA certificates for ISE integration, refer to Establish secure communication for ISE integration.

Use these steps to export the system certificates from Cisco ISE:

Procedure

Step 1

Log in to your Cisco ISE primary administration node web UI.

Step 2

Click the menu icon at the top left corner and choose Administration.

Step 3

Under System, click Certificates.

Step 4

Select the check boxes for certificates such as the internal certificate Issued By ISE or default certificates Used By Admin, Portal, or Authentication.

Step 5

Click Export.

Step 6

Choose one of the following options:

  • Export Certificate Only

  • Export Certificate and Private Key (enter the private key password)

Step 7

Click Export.

The .pem file of the certificate downloads in your local system.

What to do next

Import the certificate into the Cisco Cyber Vision to establish a secure API connection for Cisco ISE integration. Refer to Establish secure communication for ISE integration.

Establish IP-to-SGT Mapping

Establish secure communication for ISE integration

To enable secure communication between Cisco Cyber Vision and Cisco ISE, establish an API connection for ISE integration.

Before you begin

Ensure you obtain the following information and files ready before starting the API integration:

  • API Connection Details: You will need the Cisco ISE hostname, FQDN, and IP address. You can retrieve these details by navigating to Administration > System > Deployment in the Cisco ISE web UI.

  • Certificates:

    • System Certificate: If Cisco ISE uses an internal system certificate, you must export it from Cisco ISE (.pem file format) and save it into your local system. Refer to Export the ISE system certificates.

    • Root CA Certificate: If Cisco ISE uses a certificate signed by an external Certificate Authority (CA),download the corresponding Root CA certificate (in .pem file format) from your Certificate Authority and save it to your local system.

Use these steps to configure a secure API connection for your Cisco ISE integration:

Procedure

Step 1

Log in to the Cisco Cyber Vision web application.

Step 2

From the main menu, select Admin > Integrations > ISE - API.

Step 3

Expand the ISE Configuration section.

Step 4

Enter the following:

  • Hostname: FQDN of the Cisco ISE API

  • IP Address: IP address of the Cisco ISE API. Use the IP address only if the hostname couldn't be resolved using DNS.

  • Username and password: User credentials with access to the Cisco ISE API

  • ISE SXP Domain: The default value is often used and typically doesn’t need modification

Step 5

For ISE Certificate, click Import ISE Certificate and select the ISE system certificate (.pem) from your local system. For instructions on how to obtain the certificates, refer Export the ISE system certificates.

Step 6

Click Test Connection.

The message Connection Successful appears.

Step 7

Click Save.

Create IP-to-SGT mapping

Cisco Cyber Vision allows you to assign SGTs to network-based or user-defined groups, facilitating the synchronization of IP-to-SGT mappings with Cisco ISE.


Note

Network-based groups are shared with Cisco ISE by creating Subnet-to-SGT bindings. The user-defined groups are created by establishing individual IP-to-SGT bindings for each IP address within the group, mapping each specific device to an SGT.

Before you begin

You must define the subnetworks and groups by setting IP address ranges and declaring the network as operational technology (OT) internal. For instructions to define subnetworks and groups, see the Network Organization section in the Cisco Cyber Vision Administration Guide, Release 5.5.x.

Use these steps to create IP-to-SGT mapping:

Procedure

Step 1

Log in to the Cisco Cyber Vision web application.

Step 2

From the main menu, choose Admin > Integrations > ISE -API.

Step 3

Click Edit configuration.

  1. Under Network Based Groups, toggle the status for each group that should be enabled for ISE integration.

    Note

     

    The SGT starts at 5000 and increments by 1. You can assign the same SGT value to multiple groups.

  2. Click Next.

  3. Under User Defined Groups, toggle the status for each group that should be enabled for ISE integration.

  4. Click Close.

The configured SGTs appear for the corresponding network or user-defined group in the table.

Note

 

The Delete Configuration button deletes all the existing ISE configuration. Deleting groups can impact existing Cisco ISE integrations. Proceed carefully to avoid disrupting these integrations.

Step 4

If you notice any changes in device details or network names in the table for the configured network or user-defined groups, click Force Synchronization to manually synchronize these changes with Cisco ISE.

What to do next

Log in to the Cisco ISE web application and verify that the IP-to-SGT mapping is synchronized in Cisco ISE.

Verify IP-to-SGT mappings in Cisco ISE

To maintain accurate and current network security policies, it is essential to verify that the SGT mappings from Cisco Cyber Vision are synchronized with Cisco ISE.

Use the following steps to verify the synchronization:

Procedure

Step 1

Log in to your Cisco ISE primary administration node web UI.

Step 2

Select the menu icon at the top left corner and choose Work Centers.

Step 3

Under TrustSec, click Components.

Step 4

From the left navigation, click Security Groups.

Step 5

Verify that the networks and SGT assignments from Cisco Cyber Vision are synchronized in the Security Groups table.

Step 6

From the left navigation, click IP SGT Static Mapping.

Step 7

Verify that the SGT and IP mappings are synchronized in the IP SGT static mapping table.

What to do next

Define Cisco TrustSec policies to manage access and permissions between networks based on assigned Scalable Group Tags (SGTs). For more information on TustSec policies, refer Configure TrustSec Matrix Settings in Cisco Identity Services Engine Administrator Guide.