Configure ISE/ISE-PIC for User Control

The following procedure discusses how to configure the ISE/ISE-PIC identity source. You must be in the global domain to perform this task.

Before you begin

To get user sessions from a Microsoft Active Directory Server or supported LDAP server, configure and enable a realm for the ISE server, assuming the pxGrid persona, as discussed in Create a Realm and Realm Directory.
Configure a connection to ISE or ISE-PIC. For more information, see The ISE/ISE-PIC Identity Source and ISE/ISE-PIC Configuration Fields.
To get all mappings that are defined in ISE, including SGT-to-IP address mappings published through SXP, use the procedure that follows. As an alternative, you have the following options:
- To use the SGT information in the packets only, and not use mappings downloaded from ISE, skip the steps discussed in Create and Edit Access Control Rules. Note that in this case, you can use SGT tags as a source condition only; these tags will never match destination criteria.
- To use SGT in packets and user-to-IP-address/SGT mappings only, do not subscribe to the SXP topic in the ISE identity source, and do not configure ISE to publish SXP mappings. You can use this information for both source and destination matching conditions.
Export certificates from the ISE/ISE-PIC server and optionally import them into the CDO as discussed in Export Certificates from the ISE/ISE-PIC Server for Use in the CDO.

Procedure

Step 1

Step 2

Click System ( system gear icon ) > Integration > Identity Sources.

Step 3

Click Identity Services Engine for the Service Type to enable the ISE connection.

Note	To disable the connection, click None.

Step 4

Enter a Primary Host Name/IP Address and, optionally, a Secondary Host Name/IP Address.

Step 5

Click the appropriate certificate authorities from the pxGrid Server CA and MNT Server CA lists, and the appropriate certificate from the FMC Server Certificate list. You can also click Add ( add icon ) to add a certificate.

Note	The FMC Server Certificate must include the clientAuth extended key usage value, or it must not include any extended key usage values.

Step 6

(Optional.) Enter an ISE Network Filter using CIDR block notation.

Step 7

In the Subscribe To section, check the following:

Session Directory Topic to receive ISE user session information from the ISE server.
SXP Topic to receive updates to SGT-to-IP mappings when available from the ISE server. This option is required to use destination SGT tagging in access control rules.

Step 8

(Optional.) From the Proxy list, click either a managed device or a proxy sequence.

If CDO cannot communicate with your your ISE/ISE-PIC server, you can choose either a managed device or proxy sequence to do it. For example, your CDO might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet.

Step 9

To test the connection, click Test.

If the test fails, click Additional Logs for more information about the connection failure.

What to do next

Specify users to control and other options using an identity policy as described in Create an Identity Policy.
Associate the identity rule with an access control policy, which filters and optionally inspects traffic, as discussed in Associating Other Policies with Access Control.
Deploy your identity and access control policies to managed devices as discussed in Deploy Configuration Changes.
Monitor user activity as discussed in Using Workflows.