ISE/ISE-PIC Configuration Fields

The following fields are used to configure a connection to /ISE-PIC.

Primary and Secondary Host Name/IP Address

The hostname or IP address for the primary and, optionally, the secondary pxGrid ISE servers.

The ports used by the host names you specify must be reachable by both ISE and the management center.

pxGrid Server CA

The trusted certificate authority for the pxGrid framework. If your deployment includes a primary and a secondary pxGrid node, the certificates for both nodes must be signed by the same certificate authority.

MNT Server CA

The trusted certificate authority for the ISE certificate when performing bulk downloads. If your deployment includes a primary and a secondary MNT node, the certificates for both nodes must be signed by the same certificate authority.

pxGrid Client Certificate

The internal certificate and key that the Secure Firewall Management Center must provide to /ISE-PIC to connect to /ISE-PIC or to perform bulk downloads.

Note

The pxGrid Client Certificate must include the clientAuth extended key usage value, or it must not include any extended key usage values.

ISE Network Filter

An optional filter you can set to restrict the data that ISE reports to the Secure Firewall Management Center. If you provide a network filter, ISE reports data from the networks within that filter. You can specify a filter in the following ways:

  • Leave the field blank to specify any.

  • Enter a single IPv4 address block using CIDR notation.

  • Enter a list of IPv4 address blocks using CIDR notation, separated by commas.

Note

This version of the system does not support filtering using IPv6 addresses, regardless of your ISE version.

Subscribe to:
Session Directory Topic: Check this box to subscribe to user session information from the ISE server. Includes SGT and endpoint metadata.
SXP Topic: Check this box to subscribe to SXP mappings from the ISE server.
Proxy
You can optionally choose either a managed device or a proxy sequence to communicate with ISE/ISE-PIC if CDO is unable to do so. For example, your CDO might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet.