Overview of the Identity Services Engine (ISE) / ISE Passive Identity Controller (ISE-PIC) Service
Cisco’s Identity Services Engine (ISE), and Passive Identity Connector (ISE-PIC) are applications that run on separate servers in your network to provide enhanced identity management. The Web Security appliance can access user-identity information from an ISE or ISE-PIC server. When either ISE, or ISE-PIC is configured, information is retrieved (user names and associated Secure Group Tags from ISE, user names and Active Directory groups from ISE-PIC) for appropriately configured Identification Profiles, to allow transparent user identification in policies configured to use those profiles.
Cisco’s Platform Exchange Grid (pxGrid) enables collaboration between components of the network infrastructure, including security-monitoring and network-detection systems, identity and access management platforms, and so on. These components can use pxGrid to exchange information via a publish/subscribe method.
There are essentially three pxGrid components: the pxGrid publisher, the pxGrid client, and the pxGrid controller.
pxGrid publisher – Provides information for the pxGrid client(s).
pxGrid client – Any system, such as the Web Security appliance, that subscribes to published information; in this case, Security Group Tag (SGT), Active Directory groups, user-group, and profiling information.
pxGrid controller – In this case, the ISE/ISE-PIC pxGrid node that controls the client registration/management and topic/subscription processes.
Trusted certificates are required for each component, and these must be installed on each host platform.
About the ISE/ISE-PIC Server Deployment and Failover
A single ISE/ISE-PIC node set-up is called a standalone deployment, and this single node runs the Administration, and Policy Service. To support failover and to improve performance, you must set up multiple ISE/ISE-PIC nodes in a distributed deployment. The minimum required distributed ISE/ISE-PIC configuration to support ISE/ISE-PIC failover on your Web Security appliance is:
Two pxGrid nodes
Two Administration nodes
One Policy Service node
This configuration is referred to in the Cisco Identity Services Engine Hardware Installation Guide as a 'Medium-Sized Network Deployment'. Refer to the network deployments section in that installation guide for additional information.