Configure ISE for User Control

The following procedure discusses how to configure the ISE/ISE-PIC identity source. You must be in the global domain to perform this task.

Threat Defense Feature History:

7.2—Optionally add a proxy, which is a connection to one or more cCisco Defense Orchestrator in the event Cisco Defense Orchestrator cannot communicate with the ISE/ISE-PIC server. .

Before you begin

To get user sessions from a Microsoft Active Directory Server or supported LDAP server, configure and enable a realm for the Cisco ISE server, assuming the pxGrid persona, as discussed in Create an LDAP Realm or an Active Directory Realm and Realm Directory.
To get all mappings that are defined in Cisco ISE, including SGT-to-IP address mappings published through SXP, use the procedure that follows. As an alternative, you have the following options:
- To use the SGT information in the packets only, and not use mappings downloaded from Cisco ISE, skip the steps discussed in Create and Edit Access Control Rules. Note that in this case, you can use SGT tags as a source condition only; these tags will never match destination criteria.
- To use SGT in packets and user-to-IP-address/SGT mappings only, do not subscribe to the SXP topic in the Cisco ISE identity source, and do not configure ISE to publish SXP mappings. You can use this information for both source and destination matching conditions.
(Advanced configuration only.) Export certificates from the ISE/ISE-PIC server and optionally import them into the management center as discussed in Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center.
To publish SXP topics so the management center can be updated with Security Group Tags (SGT) on the ISE server, see Configure ISE/ISE-PIC.

Procedure

Step 1

Step 2

Click Integration > Other Integrations > Identity Sources.

Step 3

Click Identity Services Engine for the Service Type to enable the ISE connection.

Note	To disable the connection, click None.

Step 4

Enter a Primary Host Name/IP Address and, optionally, a Secondary Host Name/IP Address.

Step 5

Click the appropriate certificate authorities from the pxGrid Server CA and MNT Server CA lists, and the appropriate certificate from the pxGrid Client Certificate list. You can also click Add ( add icon ) to add a certificate.

Note	The pxGrid Client Certificate must include the clientAuth extended key usage value, or it must not include any extended key usage values.

Step 6

(Optional.) Enter an ISE Network Filter using CIDR block notation.

Step 7

In the Subscribe To section, check the following:

Session Directory Topic to receive ISE user session information from the ISE server.
SXP Topic to receive updates to SGT-to-IP mappings when available from the ISE server. This option is required to use destination SGT tagging in access control rules.

Step 8

(Optional.) From the Proxy list, click either a managed device or a proxy sequence.

If CDO cannot communicate with your ISE/ISE-PIC server, you can choose either a managed device or proxy sequence to do it. For example, your CDO might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet.

Step 9

To test the connection, click Test.

If the test fails, click Additional Logs for more information about the connection failure.

What to do next

Specify users to control and other options using an identity policy as described in Create an Identity Policy.
Associate the identity rule with an access control policy, which filters and optionally inspects traffic, as discussed in Associating Other Policies with Access Control.
Use Security Group Tags (SGT) from Cisco ISE as dynamic attributes in access control policies.

For more information, see Configure Dynamic Attributes Conditions.
Deploy your identity and access control policies to managed devices as discussed in Deploy Configuration Changes.
Monitor user activity .