Configure ISE/ISE-PIC for user control using a realm

This task enables you to configure ISE/ISE-PIC for user control and to allow or block user or group access to the network. Users and groups can be stored in any server listed in Supported servers for realms.

This topic provides a high-level overview of tasks you must complete to configure ISE/ISE-PIC for user control and to be able to allow or block user or group access to the network.

Procedure

Step 1	Enable SXP on ISE for destination SGT only. This enables the Cloud-Delivered Firewall Management Center to receive updates from ISE when SGT metadata changes.
Step 2	Export system certificates from ISE/ISE-PIC. The certificates are required to connect securely between the ISE/ISE-PIC pxGrid, monitoring (MNT) servers and the Cloud-Delivered Firewall Management Center. See the following: pxGrid server and MNT server certificate: Export certificates from the ISE/ISE-PIC server for use in the Cloud-Delivered Firewall Management Center pxGrid client certificate: Generate a self-signed certificate
Step 3	Import the certificates in the Cloud-Delivered Firewall Management Center. The certificates must be imported as follows: pxGrid client certificate: internal certificate with key (Objects > PKI > Internal Certs) pxGrid server certificate: trusted CA (Objects > PKI > Trusted CAs) MNT certificate: trusted CA
Step 4	Create a proxy sequence for use with the realm and also with ISE/ISE-PIC (optional). A proxy sequence is one or more managed devices that can be used to communicate with an LDAP, Active Directory, or ISE/ISE-PIC server. It is necessary only if Security Cloud Control cannot communicate with your Active Directory or ISE/ISE-PIC server. (For example, Security Cloud Control might be in a public cloud but Active Directory or ISE/ISE-PIC might be in a private cloud.) Although you can use one managed device as a proxy sequence, we strongly recommend you set up two or more so that, in the event one managed device cannot communicate with Active Directory or ISE/ISE-PIC, another managed device can take over.
Step 5	Create a realm. You must create a realm only to control access to the network by the users and groups you choose. See Create an LDAP realm or an Active Directory realm and realm directory. Download users and groups, and enable the realm. Downloading users and groups enables you to use them in access control rules. See Synchronize users and groups.
Step 6	Create the ISE/ISE-PIC identity source. The ISE/ISE-PIC identity source enables you to control user activity using Security Group Tags (SGT) provided by ISE/ISE-PIC.
Step 7	Create an identity policy. An identity policy is a container for one or more identity rules. See Create an identity policy. Create an identity rule. An identity rule specifies how a realm is used to control access to the network by users and groups. See Create an identity rule.
Step 8	Associate the identity policy with an access control policy. This enables the access control policy to use users and groups in the realm. Create an access control rule. The access control rule specifies an action to take (for example, allow or block) if traffic matches the rule criteria. You can use source and destination SGT metadata as matching criteria in the access control rule. See About access control rules.
Step 9	Deploy the access control policy to managed devices. Before your policy can take effect, it must be deployed to managed devices. See Deploy Configuration Changes.

What to do next

Export certificates from the ISE/ISE-PIC server for use in the Cloud-Delivered Firewall Management Center