Integrate Cisco pxGrid Cloud with Cisco ISE: Releases 3.5, 3.4 patch 1, and 3.3 patch 5

Enable Cisco pxGrid Cloud service in Cisco ISE and register device

Before you begin

  • Install and activate the Cisco ISE Advantage license tier in your Cisco ISE deployment.

  • The pxGrid Cloud agent creates an outbound HTTPS connection to Cisco pxGrid Cloud. Therefore, you must configure Cisco ISE proxy settings if the customer's network uses a proxy to reach the internet. To configure proxy settings in Cisco ISE, choose Administration > System > Settings > Proxy.

  • The Cisco ISE Trusted Certificates Store must include the root CA certificate required to validate the server certificate presented by Cisco pxGrid Cloud. Ensure that the Trust for Authentication of Cisco Services option is enabled for this root CA certificate. To enable Trust for Authentication of Cisco Services, choose Administration > System > Certificates.

  • Port 443 must be open for outbound connection from Cisco ISE to the Cisco pxGrid Cloud Portal. If firewall or proxy settings are configured, ensure these URLs are not blocked:

Procedure

Step 1

In the Cisco ISE GUI, choose Administration > System > Deployment.

Step 2

Select the node where you want to enable the pxGrid Cloud service.

Step 3

In the General Settings tab, enable the pxGrid service.

Step 4

Check the pxGrid Cloud check box.

Important

 

  • The pxGrid Cloud service can be enabled on two nodes to provide high availability.

  • You can enable the pxGrid Cloud option only when the pxGrid service is enabled on that node.

Cisco pxGrid Cloud service is enabled.

Step 5

In the ISE deployment name field, enter a name for your Cisco ISE deployment. You can find your registered Cisco ISE deployment on the Cisco Catalyst Cloud Portal using the ISE deployment name.

(Optional) In the Description (optional) field, enter a description for your Cisco ISE deployment.

Step 6

In the Region drop-down list, choose a region to register your Cisco ISE device. Cisco pxGrid Cloud is supported in the U.S., Europe, Asia Pacific, and Japan. The application you want to use with pxGrid Cloud must also be available in the same region.

Step 7

In the Activate your device pop-up page, the Activation Code for your device is automatically filled. Click Next.

Log in to your Cisco Catalyst Cloud Portal account or create a new account to complete your device registration. Refer to Create an account in Cisco Catalyst Cloud Portal for information on creating an account.

Step 8

Log in to your Cisco Catalyst Cloud Portal account.

Your Cisco ISE device is activated and registered.

You can find details of your registered Cisco ISE device in the pxGrid section (Administration > System > Deployment > pxGrid). You can click Deregister to deregister your Cisco ISE device. Deregistering Cisco ISE also automatically deactivates the connected applications.

Integrate Cisco pxGrid Cloud applications using Integration Catalog

From Cisco ISE releases 3.5, 3.4 patch 1, and 3.3 patch 5, you can use the Integration Catalog page (Administration > Integration Catalog) in Cisco ISE. This feature allows you to integrate with Cisco pxGrid Cloud applications, offering a simplified integration experience.

Procedure

Step 1

In the Cisco ISE GUI, choose Administration > Integration Catalog.

Step 2

In the Available Integrations section, click the pxGrid Cloud application that you want to integrate with Cisco ISE. The configuration and registration details of the chosen application are displayed in the Integration Catalog page.

Step 3

In the App Configuration section, choose the required instance to activate the app. You can have a single instance or multiple instances for your Cisco pxGrid Cloud application. Refer to Activate an app using Integration Catalog for more information on app activation.

Activate an app using Integration Catalog

You can integrate and activate a pxGrid Cloud app using the Integration Catalog (Administration > Integration Catalog > Available Integrations). The data scopes selected during the activation of an app are also activated in the configured policy. Refer to Configure a Cisco pxGrid Cloud policy for more information on configuring a policy.

To view and enable new scopes available for an app, disconnect the app after deactivation. When you reactivate the app, all the new scopes are displayed. You cannot edit the chosen data scopes after app activation. To make necessary changes, deactivate the app, make the required changes, and then reactivate the app.


Important

When integrating an app using the Integration Catalog, you may see the option to integrate an application using an existing instance or a new instance. This option of selecting an existing instance or a new instance is only applicable for multi-instance applications. In multi-instance apps, you can connect multiple Cisco ISE deployments (within a region) to an existing instance or you can create a new instance for app integration. Single-instance apps always use the same instance.

Procedure

Step 1

Click your specific app tile on the Integration Catalog page to choose it for activation.

The App Configuration window displays the activation status as Activated.

Step 2

In the Instance section, click the Existing instances radio button to use an existing instance of an app, if applicable.

Step 3

From the Existing instances drop-down list, choose the required instance.

Step 4

(Optional) To create a new instance, click the New instance radio button (Integration Catalog > App Configuration > Instance).

Step 5

In the Data Scope section, choose the scopes for your app configuration. You must choose at least one data scope. The scope options available for configuration depend on your specific app.

  • Adaptive Network Control (ANC) Configuration: Provides ANC configuration details such as policy name, action type, status, and MAC address.

  • Echo Service: Provides a way for the app to check the health of the integration.

  • ISE Managed Endpoints: Provides details of endpoints and probe data attributes of selected probes connected to Cisco ISE.

  • Mobile Device Management (MDM): Provides endpoint details including model, manufacturer, type, compliance, and MAC address.

  • Profiler Configuration: Provides Cisco ISE profiling policy device details such as ID and name.

  • RADIUS Authentication Failures: Provides RADIUS protocol failure details such as failure reason, username, NAS NAD details, authentication details, framed IP address attributes, MAC address, and calling station ID.

  • Session Directory: Provides session and user group objects, which include authenticated user context, wired and wireless connection type information, posture status, endpoint profile device, Security Group Tag (SGT), and username.

  • TrustSec: Covers TrustSec, TrustSec Configuration, and TrustSec SXP topics, which include SGACL, SGT, and SGT binding information.

  • User Defined Networks (UDN): Allows a user to share UDN details such as network user details and information on the devices associated with those networks.

Step 6

Click Activate to activate the app.

Remember

 

(Optional) If you are using a single-instance app or creating a new instance, copy the one-time password (OTP) that is displayed to add an instance.

Step 7

(Optional) From the One-time Password Generated pop-up, copy the (OTP) to redeem it in your app page.

Step 8

(Optional) Log in to your app.

Step 9

(Optional) In the OTP redemption page of the app, use the OTP copied from Cisco ISE to add an instance.

The app instance is activated in Cisco ISE.

The app activation status is displayed as Activated in the App Configuration window.

(Optional) You can click Deactivate to deactivate the app, if needed.