Identity Source: pxGrid Cloud Identity (ISE 3.4 and Later)

The following topics discuss how to configure and use the pxGrid Cloud Identity Source with Cisco ISE version 3.4 and later.

pxGrid Cloud identity source

The Cisco Identity Services Engine (Cisco ISE) pxGrid Cloud identity source enables you to use subscription and user data from a server or cluster in Secure Firewall Management Center access control rules. Also, the identity source uses constantly changing dynamic objects from in access control policies in the Secure Firewall Management Center.

Integration technologies

The pxGrid Cloud identity source also uses:

  • The Cisco Platform Exchange Grid (pxGrid), which enables multivendor, cross-platform network system collaboration in things like security monitoring and detection systems, network policy platforms, asset and configuration management, identity, and access management. pxGrid Cloud is the cloud-based interface to Cisco ISE.

    More information about pxGrid is available in resources such as What is PxGrid? on devnet.

  • The Cisco Digital Network Architecture (Cisco DNA) delivers automation, security, predictive monitoring, and a policy-driven approach. It provides end-to-end network visibility and uses network insights to optimize network performance and deliver the best user and application experience.

    To use the pxGrid Cloud identity source with the Secure Firewall Management Center, you must Create a Cisco Account.

Restrictions for the pxGrid Cloud identity source

Before you set up the pxGrid Cloud identity source, note these restrictions:

  • pxGrid Cloud suppports these regions: us-west-2, eu-central-1, and ap-southeast-1.

  • For information about Cisco ISE versions and query sizes, see Query limitation in the pxGrid Cloud SDK on GitHub.

How the pxGrid Cloud identity source works

Summary

The key components involved in the pxGrid Cloud identity source are:

  • Secure Firewall Management Center: Uses the pxGrid Cloud SDK to programmatically retrieve user information

  • Cisco ISE: Provides user information, SGT, endpoint profile, and other details

  • pxGrid Cloud: Facilitates secure data exchange between the management center and ISE

  • Authentication process: Requires one-time passwords (OTP) to establish trusted communication

Workflow

The image illustrates the stages of enabling pxGrid Cloud by the administrator, highlighting the key steps involved in the process.

These stages describe how the pxGrid Cloud identity source works:

  1. In Cisco ISE, the administrator enables the use of pxGrid Cloud.
  2. The administrator registers Cisco ISE as a product in pxGrid Cloud, which authenticates Cisco ISE and pxGrid Cloud and enables them to communicate with each other. The authentication process requires you to paste a one-time password (OTP) from pxGrid Cloud into Cisco ISE.
  3. In pxGrid Cloud, the administrator creates an "app instance" that generates an OTP for use in the Secure Firewall Management Center to authenticate the two with each other.
  4. After completing all the preceding tasks, the Secure Firewall Management Center (which includes the pxGrid Cloud SDK) can query Cisco ISE using pxGrid Cloud and retrieve sessions containing user information, SGT, endpoint profile, and other details. A Cisco ISE cluster downloads SGT/endpoint profile definition only from the primary node because the definitions are shared across all nodes.
  5. Many types of dynamic objects can be filtered and sent to the Secure Firewall Management Center as dynamic objects to be used in access control rules. These include: SGT, endpoint profile, posture status, and machine authentication. User information is retrieved from Cisco ISE and group information is retrieved from either Microsoft Active Directory or Azure Active Directory.

pxGrid Cloud identity source configuration

These topics summarize how to configure a pxGrid Cloud identity source either for ISE 3.3 and earlier or for ISE 3.4 and later. The steps are different so make sure you follow them exactly.

Configuring a pxGrid Cloud identity source

Before you begin, create a Cisco Account.


Important


This topic applies to Cisco ISE version 3.4 or later. If you are using an earlier version, see Configuring a pxGrid Cloud identity source (Cisco ISE 3.3 or earlier) instead.


Summary

The key components involved in configuring a pxGrid Cloud identity source are:

  • Cisco ISE: Enables pxGrid Cloud service and creates the connection

  • Catalyst Cloud Portal: Creates and manages app instances for authentication

  • Secure Firewall Management Center: Receives user data and creates identity sources for policy enforcement

Workflow

Figure 1. Configure a pxGrid Cloud identity source
The configuration process for a network device is illustrated, showing the steps to set up various parameters and options. The diagram highlights key components and their interconnections within the network setup. Enable the pxGrid Cloud service in Cisco ISE Register the pxGrid Cloud connection with Cisco ISE Create an app instance Create an app instance Enable the dynamic attributes connector Create the identity source Activate the app instance Activate the pxGrid Cloud identity source

These are the stages of configuring a pxGrid Cloud identity source using Cisco ISE, the Catalyst Cloud Portal, and Secure Firewall Management Center:

  1. Enable pxGrid Cloud in Cisco ISE. pxGrid Cloud enables you to subscribe to offers and to register apps (in this case, the Secure Firewall Management Center) for secure data exchange in a cloud environment. For more information, see Enable the pxGrid Cloud service in Cisco ISE.
  2. Create an app instance and get the one-time password (OTP) required to create the pxGrid Cloud identity source in the Catalyst Cloud Portal. For more information, see Create an app instance.
  3. Enable the dynamic attributes connector in the Secure Firewall Management Center if you haven't done so already. The dynamic attributes connector is required to use the pxGrid Cloud identity source. For more information, see Enable the dynamic attributes connector.
  4. Create the pxGrid Cloud identity source in the Secure Firewall Management Center. The identity source enables the Secure Firewall Management Center to authenticate with Cisco ISE and the Catalyst Cloud Portal so it can receive user data from Cisco ISE. For more information, see Create the identity source.
  5. Activate the app instance in the Catalyst Cloud Portal. For more information, see Activate the app instance.
  6. Activate the pxGrid Cloud identity source in the Secure Firewall Management Center. For more information, see Activate the pxGrid Cloud identity source.

What’s next

After you complete this configuration process, you can:

  • Test the pxGrid Cloud identity source to make sure it's working properly. For more information, see Test the pxGrid Cloud identity source.

  • Create dynamic attributes filters, which define what dynamic objects are sent to the Secure Firewall Management Center. For more information, see Create dynamic attributes filters.

  • Use the pxGrid Cloud identity source to enable dynamic objects, Microsoft AD user and groups, and Azure AD users and groups in access control rules.

Enable the pxGrid Cloud service in Cisco ISE

This task enables the pxGrid Cloud service in Cisco ISE, which allows your ISE deployment to connect to cloud-based pxGrid services for enhanced security and visibility.

This task explains how to enable pxGrid Cloud in Cisco ISE.

Before you begin

  • Install and activate the Advantage license tier in your Cisco ISE deployment.

  • The pxGrid Cloud agent creates an outbound HTTPS connection to Cisco pxGrid Cloud. Therefore, you must configure Cisco ISE proxy settings if the customer network uses a proxy to reach the internet. To configure proxy settings in Cisco ISE, click the Menu icon () and choose Administration > System > Settings > Proxy.

  • The Cisco ISE Trusted Certificates Store must include the root CA certificate required to validate the server certificate presented by Cisco pxGrid Cloud. Ensure that the Trust for Authentication of Cisco Services option is enabled for this root CA certificate. To enable this option, navigate to Administration > System > Certificates.

Follow these steps to enable the pxGrid Cloud service in Cisco ISE:

Procedure


Step 1

Log in as an administrator to Cisco ISE.

If your Cisco ISE server is part of a cluster, log in to the Primary Administration Node (PAN).

Step 2

Click the Menu icon (), then click Administration > Deployment.

Under Deployment Nodes, click the name of the deployment node.

Step 3

On the next page, scroll down to locate the pxGrid node.

Select the Enable pxGrid Cloud check box.

Step 4

Enter the following information:

Option

Description

ISE Deployment Name

Enter a unique name to identify your ISE deployment.

Description (Optional)

Enter an optional description.

Region

Click the region you're in (us-west-2, eu-central-1, or ap-southeast-1).

This is the only valid region at this time.

License agreements

You are required to select both check boxes to continue.

Step 5

Click Register.

Example:

The image illustrates the license agreement interface, highlighting the two check boxes that must be selected to proceed.

Step 6

When prompted with an activation code for the Catalyst Cloud Portal, click Next.

Step 7

When prompted, log in to the Catalyst Cloud Portal.

Step 8

At the Select an Account dialog box, click the name of an account with which to register Cisco ISE.

Step 9

Click Register ISE.


What to do next

See Verify Cisco ISE registration in the Catalyst Cloud Portal.

Verify Cisco ISE registration in the Catalyst Cloud Portal

This task allows you to confirm that Cisco ISE is properly registered with the Catalyst Cloud Portal.

This task explains how to verify that Cisco ISE is registered with the Catalyst Cloud Portal.

Before you begin

Complete the tasks discussed in Enable the pxGrid Cloud service in Cisco ISE.

Procedure


Step 1

Log in to the Cisco Catalyst Cloud Portal.

Step 2

If prompted, select the account.

Step 3

In the left navigation, click The registration verification process includes steps to confirm user details and ensure successful account activation. > Applications and Products.

Step 4

At the top of the page, click Products.

Step 5

Click the name of the Cisco ISE deployment you created previously.

Step 6

Make sure that Registered is displayed for its status.

Example:

The deployment displays a Registered status, confirming successful registration with the system.


Create an app instance

Create an app instance to enable pxGrid Cloud identity source functionality for sending user session data to the Secure Firewall Management Center.

This task is one of several tasks you must perform to create a pxGrid Cloud identity source to send user session data to the Secure Firewall Management Center.

There is a one-hour time limit on the one-time password (OTP) required to complete this procedure successfully. You do not need to log in to Cisco ISE.

Before you begin

Verify Cisco ISE registration in the Catalyst Cloud Portal.

Procedure


Step 1

Log in to the Cisco Catalyst Cloud Portal.

Step 2

In the Catalyst Cloud Portal, click The Cisco DNA Portal interface displays the Applications and Products section, highlighting the steps to create an app instance. > Applications and Products.

In the Cisco DNA Portal, go to Applications and Products

Step 3

At the top of the page, click Applications.

Step 4

From the Regions list, click us-west-2, eu-central-1, or ap-southeast-1.

Step 5

Click Manage (or Activate) next to Firepower Management Center.

Step 6

Click Add.

Step 7

Click Create a New One.

The following figure shows an example.

Create a new application instance

Step 8

Click the copy button next to the displayed OTP.

Get the one-time password (OTP) for the application instance

Copy the OTP to a text file; it expires in 60 minutes.

Step 9

Continue with Create the identity source.


Create the identity source

This task creates a pxGrid Cloud identity source to send user session data to the Secure Firewall Management Center.

This task is one of several required to create a pxGrid Cloud identity source to send user session data to the Secure Firewall Management Center.

Before you begin

Complete the task discussed in Create an app instance.

Procedure


Step 1

Log in to the Secure Firewall Management Center

Step 2

Click Integrations > Identity > Identity Sources

Step 3

Click Identity Services Engine (pxGrid Cloud).

Step 4

Click Create pxGrid Application Instance.

This figure shows an example.

Enter the required information, including the OTP, to create a pxGrid App Instance

Step 5

Enter the required information.

Value

Description

Name

Enter a name to uniquely identify this connector.

Description

Optional description.

OTP (One-Time Password)

Enter the OTP.

Step 6

Click Create.

Step 7

At the top of the page, click Save.


What to do next

Continue with Activate the app instance.

Activate the app instance

Activate an app instance to create a pxGrid Cloud identity source that sends user session data to the Secure Firewall Management Center.

There is a one-hour time limit on the one-time password (OTP) required to complete this procedure successfully. You do not need to log in to Cisco ISE.

Before you begin

Complete the task discussed in Create the identity source.

Follow these steps to activate the app instance:

Procedure


Step 1

Log in to the Cisco Catalyst Cloud Portal.

Step 2

Reverify the app by clicking the word here as the following figure shows.

The image illustrates the steps required to activate the app instance, highlighting key actions and options within the application interface.

Step 3

Click the name of the application instance you just created in Secure Firewall Management Center.

Step 4

Click Next.

Example:

The image illustrates the steps to activate the app instance, highlighting key actions and options available in the activation process.

Step 5

On the Choose Product page, click the name of the Cisco ISE product and click Next.

Example:

The image illustrates the steps to activate the app instance, highlighting key actions and options available in the activation process.

Step 6

Select the check box next to each scope.

The following figure shows an example.

The app instance activation process is illustrated, showing the necessary steps and components involved in successfully activating the instance.

Step 7

Click Next.

Step 8

Review the displayed information for accuracy. Make sure all scopes are selected.

The following figure shows an example.

The app instance is successfully activated and ready to send user session data to the management center.

Step 9

Click Activate.

It can take several minutes for the app instance to be activated.

Continue with Activate the pxGrid Cloud identity source.


Activate the pxGrid Cloud identity source

This task activates the pxGrid Cloud identity source to enable identity services integration in your security infrastructure.

This task explains how to activate the pxGrid Cloud identity source in the Secure Firewall Management Center.

Before you begin

Complete the tasks discussed in Activate the app instance.


Note


Only one pxGrid Cloud identity source can be active at a time.


Procedure


Step 1

Log in to the Secure Firewall Management Center.

Click Integrations > Identity > Identity Sources.

Step 2

Click Identity Services Engine (pxGrid Cloud).

Step 3

Click Save at the top of the page.

Step 4

If a green check mark is not displayed next to the name of the identity source, select it.

Example:

The image illustrates the activation process for a specific device, highlighting key steps and components involved in the procedure.

Step 5

Click Make Active.

Example:

The image illustrates the process of selecting a check box to enable the receipt of ISE user session information from the server.

Step 6

(Optional.) Select the following options if desired:

  • Session Directory Topic: Select the check box to receive ISE user session information from the Cisco ISE server.

  • SXP Topic: Select the check box to receive updates to SGT-to-IP mappings when available from the ISE server. This option is required to use destination SGT tagging in access control rules.

  • ISE Network Filter: Optional filter you can set to restrict the data that Cisco ISE reports. If you provide a network filter, Cisco ISE reports data from the networks in that filter.

    You have the following options:

    • Leave the field blank to specify any.

    • Enter a single IPv4 address block using CIDR notation.

    • Enter a list of IPv4 address blocks using CIDR notation, separated by commas.

Step 7

Under Activated ISE, expand the identity source.

Example normal result:

The image illustrates the process of entering IPv4 address blocks in CIDR notation, highlighting both a normal and an error result for user input.

Example error result:

The image illustrates the process of entering a list of IPv4 address blocks in CIDR notation, highlighting both a normal result and an error result for user guidance.

In the event of an error, see Test the pxGrid Cloud identity source.

Step 8

Verify the status is Active and that all scopes and topics are displayed.

Wait a few minutes for data to be downloaded.


What to do next

See Test the pxGrid Cloud identity source.

Test the pxGrid Cloud identity source

This task enables you to perform diagnostics using the Secure Firewall Management Center to determine if the identity source is working.

Errors might include communication with Cisco ISE, or with the Cisco ISE configuration with Catalyst Cloud Portal.

Procedure


Step 1

Step 2

Log in to the Secure Firewall Management Center.

Step 3

Step 4

Click Integrations > Identity > Identity Sources.

Step 5

Click Identity Services Engine (pxGrid Cloud).

Step 6

Review the configuration status information.

The following figure shows an example configuration.

The figure illustrates an example configuration with numbered areas that correspond to details provided in the accompanying table.

The following table has more information about the numbered areas in the figure.

Number

Meaning

1

Overall status

Any errors in the overall status of the Cisco ISE app instances are displayed. In that case, scroll to that instance and either expand the error message or click Test for more information.

2

Active

A green check mark indicates the app is active.

3

Inactive

A dimmed app instance is inactive. You can activate it by selecting the check box next to its name and then clicking Make active.

4

Test button

Click Test to perform diagnostic tests that show more detailed status of the app instance.

The following figure shows a sample success message.

The figure displays a sample success message from a diagnostic test performed on an app instance, indicating that the instance is functioning correctly.

The following figure shows an example error result.

The figure displays a sample success message from the diagnostic tests performed on the app instance, indicating that the tests have completed successfully.

Step 7

Click Test to perform diagnostic tests.

If errors occur, use the following error code reference to help diagnose and solve issues with Cisco ISE, pxGrid Cloud, and the Catalyst Cloud Portal. If these suggestions do not work, or if you have a different issue, contact Cisco TAC.

Table 1. Error code troubleshooting

Error Code

Troubleshooting Steps

403 – Forbidden

Verify the Cisco ISE product is not in a Pending or Suspended state in the Catalyst Cloud Portal. If suspended, verify that Cisco ISE is registered as discussed in Enable pxGrid Cloud service in Cisco ISE and register your device. Additionally, verify pxGrid Cloud services are publicly available.

404 – Not Found

Verify the Cisco ISE server is not directly disconnected from the Cisco ISE dashboard. To properly disconnect Cisco ISE already connected with the app instance, first deactivate Cisco ISE from the app instance and then disconnect the app instance from the Cisco ISE dashboard.

408 – Request Timeout

Check whether there are any general connectivity issues with Cisco ISE and verify pxGrid Cloud connectivity status is Connected in the ISE dashboard under The image illustrates a 408 Request Timeout error message, indicating that the server did not receive a complete request from the client within the server's allotted timeout period. > Administration > pxGrid Services > Client Management > pxGrid Cloud Connection. Verify the Cisco ISE server is not directly disconnected from the Cisco ISE dashboard.

413 – Content Too Large

Review the pxGrid Cloud API limitations on GitHub. If needed, consider upgrading your Cisco ISE version to fully utilize pxGrid Cloud support.

500 – Internal Server Error

Check that the Cisco ISE server is operational and that pxGrid Cloud services are active (verify MNT, SXP, pxGrid nodes, and so on). For more information, see Monitoring and debugging in the Cisco pxGrid chapter in the Cisco Identity Services Engine Administrator Guide.

Step 8

If the product is in a Pending or Suspended state, verify that it is active.

  1. Log in to the Catalyst Cloud Portal.

  2. In the Catalyst Cloud Portal, go to The figure illustrates an example of a suspended product within the Cisco DNA Portal, highlighting its status and relevant details. > Applications and Products.

    Example:

    In the Cisco DNA Portal, go to Applications and Products

  3. Click the Products tab.

    Example:

    The following figure shows an example of a suspended product.

    The figure illustrates a suspended product within the Cisco DNA Portal, highlighting its status and relevant details for user reference.

  4. To correct the issue, in the Actions column, click The figure illustrates a suspended product within the Cisco DNA Portal, highlighting its status and relevant details for user reference. and click Generate OTP.

  5. Use the OTP as discussed in Create the identity source.

Step 9

If you encounter a cluster member not reachable error, find what node is not reachable.

If a member of the Cisco ISE cluster is not reachable, a page like this is displayed:

The error page indicates that a member of the cluster is not reachable, providing options for troubleshooting and further actions.

To find what node is not reachable, log in to Cisco ISE primary administration node as an administrator and click click the Menu icon () and choose Administration > System > Deployment, then see Node Status in a Cisco ISE Deployment.


Troubleshoot the pxGrid Cloud identity source

These topics describe troubleshooting the pxGrid Cloud identity source.

Primary device cannot be processed

This task resolves the error "primary device cannot be processed" or "ISE is unhealthy" that occurs when a Cisco ISE cluster is associated with more than one app instance.

Each Cisco ISE cluster must be associated with one and only one app instance, typically in a single dedicated tenant.

If you associate a Cisco ISE with more than one app instance, an error such as Error occured: primary device cannot be processed or ISE is unhealthy is displayed for the identity source.

Example:

An error such as "primary device cannot be processed" or "ISE is unhealthy" indicates a misconfigured Cisco ISE cluster. A cluster can be associated with only one app instance.

The solution is to deactivate the ISE properly from other app instances for that tenant, before using it in any other tenant or app instance

Procedure


Step 1

Log in to the Cisco Catalyst Cloud Portal.

Step 2

At the top of the page, click Applications.

Step 3

Locate a Cisco ISE product that is activated and verify it is the one causing the issue.

Example:

In the Cisco DNA Portal, locate the ISE product that is experiencing the error and deactivate it.

Step 4

Wait for the product to be removed.

Step 5

Deactivate the app instance as described in Deactivate the pxGrid Cloud app instance.


Create dynamic attributes filters

Create dynamic attributes filters to expose them as dynamic objects in Secure Firewall Management Center for use in access control policies.

Dynamic attributes filters that you define using the Dynamic Attributes Connector are exposed in the Secure Firewall Management Center as dynamic objects that can be used in access control policies. For example, restrict access to an AWS server for the Finance Department to only members of the Finance group defined in Microsoft Active Directory.


Note


You cannot create dynamic attributes filters for Generic Text, Office 365, Azure Service Tags, Webex, or Zoom. These types of cloud objects provide their own IP addresses.


For more information about access control or DNS rules, see Create access control rules or DNS rules using dynamic attributes filters.

Before you begin

Create a connector

Procedure


Step 1

Log in to the Secure Firewall Management Center.

Click Integrations > Dynamic Attributes Connector > Dynamic Attributes Filters.

Step 2

Do any of the following:

  • Add a new filter: click Add (add icon).

  • Edit or delete a filter: Click More (more icon), then click Edit or Delete at the end of the row.

Step 3

Enter the following information.

Item

Description

Name

Unique name to identify the dynamic filter (as a dynamic object) in a policy and in the Secure Firewall Management Center Object Manager (External Attributes > Dynamic Object).

Connector

From the list, click the name of a connector to use.

Query

Click Add add icon.

Step 4

To add or edit a query, enter the following information.

Item Description

Key

Click a key from the list. Keys are fetched from the connector.

Operation

Click one of the following:
  • Equals to exactly match the key to the value.

  • Contains to match the key to the value if any part of the value matches.

Values

Click either Any or All and click one or more values from the list. Click Add another value to add values to your query.

Step 5

Click Show Preview to display a list of networks or IP addresses returned by your query.

Step 6

When you're finished, click Save.

Step 7

(Optional.) Verify the dynamic object in the Secure Firewall Management Center.

  1. Log in to the Secure Firewall Management Center as a user with the Network Admin role at minimum.

  2. Click Objects > External Attributes > Dynamic Object.

    The dynamic attribute query you created should be displayed as a dynamic object.


Create access control rules or DNS rules using dynamic attributes filters

Create access control rules using dynamic objects that are based on dynamic attributes filters you have previously configured.

This topic discusses how to create access control rules using dynamic objects (these dynamic objects are named after the dynamic attributes filters you created previously).

To add dynamic attributes filters to DNS policies, see Create basic DNS policies.

To add dynamic attributes filters to DNS policies, see Creating Basic DNS Policies.

Before you begin

Create dynamic attributes filters as discussed in Create dynamic attributes filters.


Note


You cannot create dynamic attributes filters for Generic Text, Office 365, Azure Service Tags, Webex, or Zoom. These types of cloud objects provide their own IP addresses.


Follow these steps to create access control rules or DNS rules using dynamic attributes filters:

Procedure


Step 1

Log in to the Secure Firewall Management Center

Click Policies > Security policies > Access Control.

Step 2

Click Edit (edit icon) next to an access control policy.

Step 3

Click Add Rule.

Step 4

Click the Dynamic Attributes tab.

Step 5

In the Available Attributes section, from the list, click Dynamic Objects.

The following figure shows an example.

Configure Dynamic Attributes created using the dynamic attributes connector as dynamic objects in access control rules. Use those exactly as you would network objects.

This example shows a dynamic object named APIC Dynamic Attribute that corresponds to the dynamic attribute filter created in the dynamic attributes connector.

Step 6

Add the desired object to source or destination attributes.

Step 7

Add other conditions to the rule if desired.


What to do next

See Dynamic attributes rule conditions.

Deactivating and deleting the pxGrid Cloud identity source

Deactivating the FMC app instance in the Catalyst Cloud Portal is an optional task to troubleshoot issues with the Cisco ISE integration.

You should delete the pxGrid Cloud identity source from the Secure Firewall Management Center when you are certain you don't want to use it again.

Deactivate the pxGrid Cloud app instance

This task explains how to deactivate a pxGrid Cloud app instance using the Catalyst Cloud Portal when your Cisco ISE or pxGrid Cloud stops working or you need to update it.

This is an optional task. You should do this only if your Cisco ISE or pxGrid Cloud stops working or you need to update it.

Before you begin

Make sure your current pxGrid Cloud identity source is active as discussed in Activate the pxGrid Cloud identity source.

Follow these steps to deactivate the pxGrid Cloud app instance:

Procedure


Step 1

Log in to the Cisco Catalyst Cloud Portal.

Step 2

In the Catalyst Cloud Portal, click The image illustrates the steps to deactivate an app instance in the Cisco DNA Portal, highlighting the Applications and Products section. > Applications and Products as the following figure shows:

In the Cisco DNA Portal, go to Applications and Products

Step 3

Click Applications.

Step 4

Click Manage for Firewall Management Center.

From the Select Instance list, click the name of the firewall application you created earlier.

Example:

The image illustrates the process of deactivating an app instance in the Cisco DNA Portal, highlighting the relevant options and interface elements.

Step 5

In the Actions column, click More icon (more icon) > Deactivate.

Step 6

Wait until the product is removed.

You can click Refresh (refresh icon) to see updated status if necessary.

Step 7

ISE 3.3 or earlier: Disconnect the app instance:

  1. Log in to Cisco ISE as an administrator.

  2. Click Administration > pxGrid Services > Client Management > pxGrid cloud connection.

  3. Click Disconnect.

    Example:

    Disconnect Cisco ISE from pxGrid Cloud as part of reconfiguring the identity source

Step 8

ISE 3.4 or later: Deregister the app instance:

  1. Log in to Cisco ISE as an administrator.

  2. Click Administration > System > Deployment.

  3. Expand Deployment.

  4. Click the name of the ISE node.

  5. In the General Settings tab page, scroll to locate pxGrid.

  6. Click Deregister.

    Example:

    Deregister Cisco ISE from pxGrid Cloud as part of reconfiguring the identity source

Step 9

To verify the app instance is deactivated in Secure Firewall Management Center:

  1. Log in to Secure Firewall Management Center.

  2. Click Integrations > Identity > Identity Sources

  3. Click Identity Services Engine (pxGrid Cloud).

  4. Verify that Not Activated is displayed in the Activated ISE column.

    Example:

    The app instance is shown as deactivated, with "Not Activated" indicated in the Activated ISE column.


What to do next

Delete the pxGrid Cloud identity source

Delete the pxGrid Cloud identity source from Secure Firewall Management Center when you no longer need it.

This task explains how to delete the pxGrid Cloud identity source from Secure Firewall Management Center, which is necessary if you do not want to use it again.

Before you begin

Deactivate the FMC app instance from the Catalyst Cloud Portal as discussed in Deactivate the pxGrid Cloud app instance.

Follow these steps to delete the pxGrid Cloud identity source:

Procedure


Step 1

Log in to the Secure Firewall Management Center.

Click Integrations > Identity > Identity Sources.

Step 2

Click Identity Services Engine (pxGrid Cloud).

Step 3

For Service Type, click None.

Example:

The image illustrates the process of deleting an item from a digital interface, highlighting the confirmation dialog that appears to ensure the user intends to proceed with the deletion.

Step 4

Click Save.

Step 5

Confirm your choice when prompted.

Step 6

Click Identity Services Engine (pxGrid Cloud).

Step 7

Click Delete (delete icon).

Example:

The image illustrates the process of deleting an item from the system, highlighting the steps involved in the deletion procedure.

Step 8

Confirm the action when prompted.