View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0202 - ISE 1.3 pxGrid

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video introduces you to the new pxGrid feature on Cisco ISE 1.3. We will begin with enabling pxGrid service and install required certificate. We will then configure Identity Mapping feature, connect ISE to a domain controller, and test authentication for user-to-IP mapping. We will finish up by enabling auto-registration and review publisher and subscriber roles. 
 
Topic:
 
  • Cisco pxGrid Service
  • pxGrid Identity Certificate
  • pxGrid Client Registration
  • Identity Mapping
  • Mapping Filter

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

6 comments

does anything need to be done on the AD to allow AD Domain integration in pxGrid Identity Mapping ?
while doing this process I'm getting the error :
The connection was tested on 'ISEBedford01.clearwater.ca' Identity Mapping active node.
Connection to 'DCBedford.clearwater.ca' failed.
Unable to connect to the machine, please check the DC state

yes I can resolve the IP correctly from the ISE box.

What type of account you use to connect to DC? Try domain admin account and if that works, it might be privilege issue.

Hi Metha,
Can I use pxgrid to integrate ISE with ASA, so that i can do firewall access rule based on the usernames instead of IP address. ?
I weant to do ASA access list based on username NOT IP, because IP changes always, what can i do ?

Thanks Metha.

You can with Firepower but not ASA. ASA alone is not capable of pxGrid.

Thanks a lot,
1- So , If i have Firepower module on ASA, i could configure the firewall access-list rules using the username instead of IP ? and this by integrating sourcefire with ISE ?
OR I can integrate Firepower module direct with Active Directory ? and make ACL with username?

2- Firepower acts like ISE as contoller or just subscriber ? so it must be integrated to contoller like ISE ?

Thanks again.

1. FP 6.0 allows you to use either ISE or AD agent as identity source so if you don't have ISE, you can install AD agent to get user-to-mapping that way

2. FP relies on ISE to provide pxGrid controller service. For the most part, it is a subscriber, but technically it can also be a publisher.