How to Configure ISE/ISE-PIC Without a Realm
This topic provides a high-level overview of tasks you must complete to configure ISE to be able to allow or block access to the network using SGT tags.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 | SGT matching: Enable SXP on ISE. | This enables the management center to receive updates from ISE when SGT metadata changes. |
Step 2 | Export system certificates from ISE/ISE-PIC. | The certificates are required to connect securely between the ISE/ISE-PIC pxGrid, monitoring (MNT) servers and the management center. See Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center |
Step 3 | Import the certificates in the management center. | The certificates must be imported as follows:
|
Step 4 | Create the ISE/ISE-PIC identity source. | The ISE/ISE-PIC identity source enables you to control user activity using Security Group Tags (SGT) provided by ISE/ISE-PIC. See Configure ISE for User Control. |
Step 5 | Create an access control rule. | The access control rule specifies an action to take (for example, allow or block) if traffic matches the rule criteria. You can use source and destination SGT metadata as matching criteria in the access control rule. See Introduction to Access Control Rules. |
Step 6 | Deploy the access control policy to managed devices. | Before your policy can take effect, it must be deployed to managed devices. See Deploy Configuration Changes. |
What to do next
Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center