You can configure the supported versions of Cisco ISE servers on the NIOS appliance. You can subscribe for identity information that you wish to collect from the Cisco ISE, such as user name, domain name, VLAN, session state, SSID, endpoint profile, and security group. You can also add extensible attributes without restricting it to specific object types, and map these extensible attributes with the Cisco ISE field types to collect additional information. Note that you can subscribe to only one Cisco ISE per member and each member can subscribe to only one Cisco ISE. You can publish ADP and RPZ notifications, DHCP and IPAM information from NIOS to Cisco ISEs based on the notification rules that you have configured.
For information about supported Cisco ISE versions to publish DHCP lease and IPAM information, see Integrating Cisco ISE into NIOS.
The procedures in the sections below is for configuring Cisco pxGrid 1.0. For instructions on configuring Cisco pxGrid 2.0, see Configuring Outbound Endpoints.
Configuring Cisco ISE Servers
You can configure a Cisco server either by using the Ecosystem -> Cisco ISE Endpoint tab or by using the Ecosystem -> Outbound Endpoint -> Add -> Add Cisco ISE Endpoint option. This section describes how to configure a Cisco server using the Ecosystem -> Cisco ISE Endpoint tab. For information about using the Add Cisco ISE Endpoint option, see Configuring Outbound Endpoints.
To configure a Cisco ISE server:
- From the Grid tab, select the Ecosystem tab -> Cisco ISE Endpoint tab, and then click the Add icon.
From the Grid tab, select the Ecosystem tab, and click Add Cisco ISE from the Toolbar.
- In the Add Cisco ISE wizard, complete the following.
- Server Address: Enter the IP address of the Cisco ISE.
- Version: Select the version of the Cisco ISE.
- Subscribing Member: Click Select to select a Grid member that you want to subscribe as the client on the Cisco ISE. In the Member Selector dialog box, select a Grid member from the list. This member interacts with the Cisco ISE to obtain contextual information for the subscribed data types.
- Network View: This appears only when you have multiple network views. From the drop-down list, select the network view in which you want to create the network.
- Client Certificate: Click Select to upload the client certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload.
- Bulk Download Certificate: Click Select to download the server certificate from the monitoring node or self-signed certificate.
- Manage Certificates: Click CA Certificates to upload the self-signed certificate or CA certificate. In the CA Certificates dialog box, click the Add icon, and then navigate to the certificate to upload it.
- Test Credentials: Click this to validate the Cisco ISE configuration before proceeding. When you click Test Credentials, the appliance validates the certificates.
- Comment: Enter additional information about the configuration.
- Disabled: Select this if you want to save the configuration but do not want to use it yet. You can clear this check box when you are ready to use this Cisco ISE.
3. Click Next to specify the data types that you are interested to obtain from the Cisco ISE. The Cisco ISE shares information only for the subscribed data types. Complete the following to specify data types you want to collect from the Cisco ISE:
- Subscription Settings: There are predefined data types in the Available Data Type table you can subscribe. Use the arrows to move data types from the Available Data Type table to the Selected Data Type table and vice versa. The appliance receives information for all data types in the Selected Data Type table.
- Map other data types to Extensible Attributes: You can create extensible attributes and map these extensible attributes to receive additional Cisco ISE data values, such as IP address, MAC, NAS IP Address, NAS Port ID, EPS Status, Posture Status, Posture Timestamp, Endpoint Profile Name, Account Session ID, and Audit Session ID. Click the Add icon and map a Cisco ISE data type to an extensible attribute. You can also select a row and click the Delete icon to delete it.
5. Save the configuration.
Modifying Cisco ISE Configurations
You can select data types that need to be published from NIOS to Cisco ISE after you have configured the Cisco ISE. You can modify the Cisco ISE configurations, as follows:
- From the Grid tab, select the Ecosystem tab -> Cisco tab, click the Action icon next to the server name and select Edit from the menu.
- The Cisco ISE Server editor provides the following tabs from which you can modify data:
- General: You can modify data in this tab as described in Configuring Cisco ISE on NIOS.
- Subscription: You can edit data types that you have subscribed. You can use the arrows to move data types from the Available Data Type table to the Selected Data Type table and vice versa. The appliance receives information for all data types in the Selected Data Type table and extensible attributes that are configured.
- Publication: To publish dynamic data from NIOS, you must first configure notification rules, as described in Configuring Notification Rules. You can add data types that you want to publish to Cisco ISE server by using the arrows to move data types from the Available table to the Selected table and vice versa. The appliance publishes information only for the data types that are added in the Selected table.
- Extensible Attributes: You can add, modify, and delete extensible attributes that are associated with the Cisco ISE server. For information, see Managing Extensible Attributes.
- Save the changes.
Overriding Subscription Settings
You can override subscription settings and mapped extensible attributes at the network container, network, and DHCP range levels. By default, networks inherit subscription settings from those configured while adding the Cisco server. You can override these settings and subscribe new values at the DHCP range, network container, or network level. A network inherits subscription settings from its parent object. If you override the values at the network container level, then the network inherits the network container values. Otherwise, the network continues to inherit the values configured from the Cisco ISE. A shared network without a parent network container continues to inherit settings from the Cisco ISE.
To override an inherited value, click Override next to it and complete the appropriate fields. When you click Override, the appliance displays the value inherited from its parent object (if any).
To override subscription settings and mapped extensible attributes:
- Network Level: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network check box, and then click the Edit icon.
Network Container: From the Data Management tab, select the IPAM tab -> network_container check box, and then click the Edit icon.
DHCP Range Level: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network -> addr_range check box, and then click the Edit icon.
- In the Network or Range editor, click Toggle Advanced Mode if the editor is in basic mode, and then click the Cisco ISE tab.
- Save the configuration and click Restart if it appears at the top of the screen.
Viewing Identity Mapping Information
To view user information, you must first enable identity mapping feature at the Grid level. For information about enabling Identity Mapping feature, see Enabling Identity Mapping.
You do not need an MSManagement license to enable the identity mapping feature.
Deleting Cisco ISE Servers
When you delete a Cisco ISE, the appliance moves it to the Recycle Bin, if enabled. You can later restore it if needed. To delete a Cisco ISE server:
- From the Grid tab, select the Ecosystem tab > Cisco tab -> Cisco ISE server check box, and then click the Delete icon.
- In the Delete Confirmation dialog box, click Yes to delete the Cisco ISE server.
This page has no comments.