How to Configure ISE/ISE-PIC Without a Realm

This topic provides a high-level overview of tasks you must complete to configure ISE to be able to allow or block access to the network using SGT tags.

Procedure

	Command or Action	Purpose
Step 1	SGT matching: Enable SXP on ISE.	This enables the management center to receive updates from ISE when SGT metadata changes.
Step 2	Export system certificates from ISE/ISE-PIC.	The certificates are required to connect securely between the ISE/ISE-PIC pxGrid, monitoring (MNT) servers and the management center. See Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center
Step 3	Import the certificates in the management center.	The certificates must be imported as follows: pxGrid client certificate: internal certificate with key (Objects > Object Management > PKI > Internal Certs) pxGrid server certificate: trusted CA (Objects > Object Management > PKI > Trusted CAs) MNT certificate: trusted CA
Step 4	Create the ISE/ISE-PIC identity source.	The ISE/ISE-PIC identity source enables you to control user activity using Security Group Tags (SGT) provided by ISE/ISE-PIC. See Configure ISE for User Control.
Step 5	Create an access control rule.	The access control rule specifies an action to take (for example, allow or block) if traffic matches the rule criteria. You can use source and destination SGT metadata as matching criteria in the access control rule. See Introduction to Access Control Rules.
Step 6	Deploy the access control policy to managed devices.	Before your policy can take effect, it must be deployed to managed devices. See Deploy Configuration Changes.

What to do next

Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center