Quick configuration

Configure Cisco ISE integration with the firewall to authenticate applications and enable identity-based access control.

This task discusses how to configure Cisco ISE (but not ISE-PIC) by entering a user name and password. The Cloud-Delivered Firewall Management Center then logs in to ISE and downloads the necessary certificates to authenticate the two applications.

Firewall Threat Defense Feature History:

7.6—This feature is introduced.

Before you begin

See these topics first:

Procedure

Step 1

Log in to the Cloud-Delivered Firewall Management Center. Click Policies > Threat Defense > Integration > Other Integrations > Identity > Identity Sources

Step 2

Click Identity Services Engine for the Service Type to enable the ISE connection.

Note	To disable the connection, click None.

Step 3

Click Quick Configuration (New).

In the Primary PAN FQDN/IP Address field, enter the fully qualified domain name or IP address of the policy administration node (PAN). Do not enter a scheme (such as https:// ).
In the Username field, enter the user name of a user in at least the ERS Operator group.

For more information about groups, see the section on Cisco ISE Administrator Groups in the Identity Services Engine administrator guides.
In the Password field, enter the user's password.

Step 4

(Optional.) Enter an ISE Network Filter using CIDR block notation.

Step 5

In the Subscribe To section, check both options:

Session Directory Topic to receive ISE user session information from the ISE server.
SXP Topic to receive updates to SGT-to-IP mappings when available from the ISE server. This option is required to use destination SGT tagging in access control rules.

Step 6

(Optional.) From the Proxy list, click either a managed device or a proxy sequence.

If Security Cloud Control cannot communicate with your ISE/ISE-PIC server, you can choose either a managed device or proxy sequence to do it. For example, your Security Cloud Control might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet.

Step 7

To test the connection, click Test.

Step 8

(Optional.) After a successful test, click Save this Config at the top of the page to save the configuration on the Cloud-Delivered Firewall Management Center.

What to do next

Specify users to control and other options using an identity policy as described in Create an identity policy.
Associate the identity rule with an access control policy, which filters and optionally inspects traffic, as discussed in Associating other policies with access control.
Use Security Group Tags (SGT) from Cisco ISE as dynamic attributes in access control policies.

For more information, see Configure Dynamic Attributes Conditions.
Deploy your identity and access control policies to managed devices as discussed in Deploy Configuration Changes.
Monitor user activity .