How to Configure ISE/ISE-PIC for User Control Using a Realm

Before you begin

This topic provides a high-level overview of tasks you must complete to configure ISE/ISE-PIC for user control and to be able to allow or block user or group access to the network. Users and groups can be stored in any server listed in Supported Servers for Realms.

Procedure

	Command or Action	Purpose
Step 1	Destination SGT only: Enable SXP on ISE.	This enables the management center to receive updates from ISE when SGT metadata changes.
Step 2	Export system certificates from ISE/ISE-PIC.	The certificates are required to connect securely between the ISE/ISE-PIC pxGrid, monitoring (MNT) servers and the management center. See the following: pxGrid server and MNT server certificate: Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center pxGrid client certificate: Generate a Self-Signed Certificate
Step 3	Import the certificates in the management center.	The certificates must be imported as follows: pxGrid client certificate: internal certificate with key (Objects > Object Management > PKI > Internal Certs) pxGrid server certificate: trusted CA (Objects > Object Management > PKI > Trusted CAs) MNT certificate: trusted CA
Step 4	(Optional.) Create a proxy sequence for use with the realm and also with ISE/ISE-PIC.	A proxy sequence is one or more managed devices that can be used to communicate with an LDAP, Active Directory, or ISE/ISE-PIC server. It is necessary only if CDO cannot communicate with your Active Directory or ISE/ISE-PIC server. (For example, CDO might be in a public cloud but Active Directory or ISE/ISE-PIC might be in a private cloud.) Although you can use one managed device as a proxy sequence, we strongly recommend you set up two or more so that, in the event one managed device cannot communicate with Active Directory or ISE/ISE-PIC, another managed device can take over.
Step 5	Create a realm.	You must create a realm only to control access to the network by the users and groups you choose. See Create an LDAP Realm or an Active Directory Realm and Realm Directory.
Step 6	Download users and groups, and enable the realm.	Downloading users and groups enables you to use them in access control rules. See Synchronize Users and Groups.
Step 7	Create the ISE/ISE-PIC identity source.	The ISE/ISE-PIC identity source enables you to control user activity using Security Group Tags (SGT) provided by ISE/ISE-PIC. See Configure ISE for User Control.
Step 8	Create an identity policy.	An identity policy is a container for one or more identity rules. See Create an Identity Policy.
Step 9	Create an identity rule.	An identity rule specifies how a realm is used to control access to the network by users and groups. See Create an Identity Rule.
Step 10	Associate the identity policy with an access control policy.	This enables the access control policy to use users and groups in the realm.
Step 11	Create an access control rule.	The access control rule specifies an action to take (for example, allow or block) if traffic matches the rule criteria. You can use source and destination SGT metadata as matching criteria in the access control rule. See Introduction to Access Control Rules.
Step 12	Deploy the access control policy to managed devices.	Before your policy can take effect, it must be deployed to managed devices. See Deploy Configuration Changes.

What to do next

Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center