How-To Firepower ISE PxGrid

How to Integrate Cisco Firepower Management
Center 6.0 With ISE and TrustSec Through pxGrid

SECURE ACCESS HOW-TO GUIDES
Table of Contents
About this Document ...................................................................................................................................................... 4
Solution Introduction Cisco Management Center 6.0 with TrustSec using pxGrid with ISE .................................... 5
Cisco Firepower Management Center 6.0 .................................................................................................. 5
Cisco TrustSec ........................................................................................................................................... 5
Cisco Identity Service Engine (ISE) ........................................................................................................... 6
Cisco pxGrid............................................................................................................................................... 6
Technical Overview......................................................................................................................................................... 7
Cisco Identity Service Engine Dynamic Security Group Tags .................................................................................... 9
Self-Signed Certificate Operation ................................................................................................................................ 10
Configuring ISE 2.0 .................................................................................................................................. 10
Creating Firepower ISE Realm................................................................................................................. 11
Configuring Firepower Management Center 6.0 ...................................................................................... 13
Configuring Firepower ISE Identity Sources............................................................................................. 20
CA (Certificate Authority)- Signed Certificate Operation ........................................................................................... 22
Customized pxGrid template for CA-signed operation ............................................................................. 22
Configuring ISE 2.0 .................................................................................................................................. 27
Creating Firepower ISE Realm................................................................................................................. 34
Configuring Firepower Management Center 6.0 ...................................................................................... 36
ISE Identity Sources CA-Signed Certificate Configuration ....................................................................... 39
Firepower Management Center .................................................................................................................................... 42
Enabling Network Discovery .................................................................................................................... 42
ISE Identity Policy .................................................................................................................................... 42
Default Access Control Policy .................................................................................................................. 43
Adding ISE Identity Policy.................................................................................................................. 43
Transport/Network Layer Preprocessor Settings ............................................................................... 44
Adding Block Response Page ........................................................................................................... 45
Create Employee SGT tag Access Control rules ............................................................................... 46
Firepower pxGrid Intrusion Policy ............................................................................................................ 48
Testing User with Employee SGT via Firepower Virtual Sensor ............................................................................... 54
ASA with Firepower Services....................................................................................................................................... 60
Using centralized Firepower Management Center Policy ......................................................................... 60
Cisco Systems © 2016 Page 2

ASA Firepower (sfr) Installation and registering to Firepower Management Center .......................... 60
Testing User with Employee SGT from managed Firepower Management Policy............................. 62
On-Box Firepower Policy Management .................................................................................................... 64
Delete the ASA from the Firepower Management Center 6.0 ............................................................ 64
ISE Realm Configuration ................................................................................................................... 64
ISE Identity Sources Configuration .................................................................................................... 66
ISE Identity Policy .............................................................................................................................. 67
Adding ISE Identity Policy.................................................................................................................. 68
Transport/Network Layer Preprocessor Settings...................................................................................... 68
Adding Block Response Page .................................................................................................................. 69
ASA Create Employee SGT tag Access Control rules ............................................................................. 69
ASA Firepower pxGrid Intrusion Policy .................................................................................................... 72
Testing User Employee SGT using On-box Firepower Management Policy ............................................................ 75
Troubleshooting ............................................................................................................................................................ 81
ISE pxGrid node ....................................................................................................................................... 81
pxGrid published nodes do not appear and there is no pxGrid connectivity ...................................... 81
Firepower Management Center 6.0.......................................................................................................... 81
System Integration ISE certificate test fails ........................................................................................ 81
Not Seeing Correlation Events from ISE ............................................................................................ 81
ASA with Firepower Services ................................................................................................................... 81
Cannot Modify registered ASA device parameters on Firepower Management Center ..................... 81
SFR is still in the recovery state......................................................................................................... 82
No traffic on ASA Firepower reports .................................................................................................. 82
Solution Caveats ........................................................................................................................................................... 85
pxGrid & Identity mapping service restart ................................................................................................ 85
Active pxGrid node is not reflected in the GUI; It is reflected in CLI ......................................................... 85
References 87

About This Document

This document is intended for Cisco engineers and customers who are interested in deploying Cisco Firepower
Management Center (FMC) 6.0 with Cisco Identity Service Engine (ISE 1.3 or higher) using (platform exchange Grid)
pxGrid.
Please note that pxGrid remediation is not supported in Cisco Firepower Management Center FMC 6.0.
Cisco Firepower Management Center (FMC) 6.0 can now enforce an organizations security policy based on ISE
session attribute information available through pxGrid. These security policies can be applied to and enforced by the
Cisco Firepower to managed NGIPS sensors and/or an ASA with Firepower services. The ASA with Firepower
services vsm also manage these policies locally via ASDM.
This document provides the details of configuring Cisco Firepower Management Center (FMC) 6.0 and pxGrid
integration with ISE in an ISE Stand-Alone environment using self-signed certificates or using CA (Certificate
Authority)- signed certificates. If deploying pxGrid in an ISE production environment, please see
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-88-Configuring-pxGrid-in-an-ISE-Distributed-
Environment.pdf
In this document an ASA with Firepower services will be configured with the ASA Firepower (sfr) module and
register with Cisco Firepower Management Center (FMC) 6.0 to use the centrally managed Cisco Firepower
Management Center policy. The ASA with Firepower services will also be configured on-box with the Firepower
intrusion policy and access control rule independent of the FMC.
The Cisco Firepower Management Center managed security policy and ASA on box Firepower Management policy
will consist of an intrusion policy and Employee SGT access control rule for denying access to specific web
categories.
The reader should have some familiarity with ISE, Cisco Firepower Management Center and pxGrid.
.

Solution Introduction Cisco Management Center 6.0 with

TrustSec Using pxGrid with ISE
Cisco Firepower Management Center (FMC) 6.0 centrally manages and enforces an organizations security policy by
applying intrusion policies and access controls rules to the NGIPS sensors and the ASA with Firepower services.
FMC 6.0 uses network discovery to obtain the user identity information. In addition, the SFUA (Sourcefire User
Agent) is used to obtain more granular details for the user. The SFUA is used to obtain the user-to-ip mapping. Either
the SFUA or ISE can be used at a time.
End-users authenticate against an AD or LDAP realm, a default policy containing an organization’s security policy is
applied to the Cisco Firepower NGIPS sensors or ASA with Firepower services based on the user group information.
The security policy can encompass an intrusion policy, where pre-set levels of balanced security can be enforced, as
well as access control rules specific to user group.
Cisco (Platform Exchange Grid) pxGrid provides additional ISE attributes: security group tag (SGT), endpoint profile
device information, location IP to be used in the Cisco Firepower Management 6.0 access control rule policies.
SGT (Security Group Tags) are a component of TrustSec, and are defined in ISE and are implemented in ISE as
authorization policies based on an organization’s security policy for identity access. As an example, all wired users
using recommended corporate recommended devices area are tagged with an Employee SGT once successfully
authenticated through ISE. Wireless users using nonrecommended corporate devices are tagged with Non-Employee
SGT once successfully authenticated. These users must exist in the Firepower Management Center ISE realm.
The FMC 6.0 can then apply access control rules based on these security group tags. In addition FMC 6.0 can also
include the additional ISE pxGrid attributes to make the Firepower Management Center 6.0 policy context-aware.
Cisco Identity Service Engine (ISE) provides the identity solution and Cisco (Platform Exchange Grid) pxGrid
framework.
Cisco Firepower Management Center 6.0

The Cisco Firepower Management Center provides a centralized management console with web interface to manage
Firepower Appliances (NGIPS) and Firepower Services. It can be used to perform administrative, management,
analysis, and reporting tasks. It automatically aggregates and correlates intrusion, file, malware, discovery, connection,
and performance data, assessing the impact of events on particular hosts and tagging hosts with indications of
compromise.
Cisco TrustSec
Security Group Tags (SGT) are part of the Cisco TrustSec solution. SGTs are defined in ISE and applied at ingress
(inbound to the network). SGTs can represent a grouping of users, endpoint devices, line of business, etc. SGTs can
then be applied to a network access policy and used by network devices to make forwarding decisions and share access
control policies across the network infrastructure. A SGT is a unique 16-bit security group number assigned to a
security group. Security groups can also have descriptive naming.

SGTs are defined and implemented as authorization profiles in an ISE authorization policy consisting of condition
rules defining an organizations security policy.
SGTs can make an organization’s security policy uniform or global across the network.
In this document, an ISE authorization policy will be created such that all successfully authenticated end-users
belonging to the /users/domain Windows group will receive an employee SGT. This employee SGT will be used in a
Cisco Firepower managed access control rule policy denying access to streaming media, peer-to-peer applications,
hacking, malware sites, and gambling categories.
Cisco Identity Service Engine (ISE)

Identity Service Engine (ISE) is a security policy management and identity access management platform solution. ISE
provides centralized management by defining/issuing/enforcing 802.1x authentications, guest management policies,
posture, client provisioning and TrustSec policies. The ISE session directory provides rich contextual information for
IEEE 802.1x authenticated users that can be used in security solutions to include context-aware policies via pxGrid.
In addition ISE simplifies access control and security compliance for wired, wireless, and VPN connectivity and
supports corporate security policy initiatives.
Cisco pxGrid
Cisco (Platform Exchange Grid) pxGrid enables multivendor, cross platform network system collaboration among
parts of the IT infrastructure such as security monitoring and detection system, network policy platforms, asset and
virtually configuration management, identity and access management platforms, and virtually and other IT operations
platform.
When business or operational needs arise, Cisco’s Security Solutions such as Firepower Management Center 6.0 and
ecosystem partners can use pxGrid to exchange contextual information via a publish/subscribe method.

Technical Overview
Cisco Firepower Management Center 6.0 will register as a pxGrid client to the ISE pxGrid node and subscribe to ISE
published topics or capabilities to receive ISE session information. This session information includes: Security Group
Tags (SGT), endpoint profile device information, endpoint location to be used in Firepower Management Center’s 6.0
access control roles.
The function of these topics are:
• TrustsecMetadata information which exposes the security group tag umber and description
SecurityGroup : id=150138d0-cfc7-11e3-9e0e-000c29e66166, name=Engineering, desc=, tag=3
• EndpointProfileMetadata which provides ISE endpoint policy information such as changes/modifications to

the ISE profiling policy
Endpoint Profile : id=886f7570-bd0c-11e3-a88b-005056bf2f0a, name=Apple-iDevice, fqname Apple-Device:Apple-

iDevice
• SessionDirectory exposes the authenticated use session attribute information such as the username and device
information
session (ip=192.168.1.14, Audit Session Id=0A0301030000001E00FEBAD7, User Name=jsmith, Domain=lab4.com,

Calling station id=00:0C:29:77:A8:C7, Session state= STARTED, Epsstatus=null,Security Group=Engineering,
Endpoint Profile=Microsoft-Workstation, NAS IP=192.168.1.2, NAS Port=GigabitEthernet1/0/9, RADIUSAVPairs=[
Acct-Session-Id=00000027], Posture Status=null, Posture Timestamp=, Session Last Update Time=Tue Apr 29
15:11:46 GMT-05:00 2014

Active user sessions bulk downloads occur upon Cisco Firepower Management Center startup or reboots. Bulk
downloads of session information is downloaded from the ISE MNT node via the ISE RESTful API. This session
information includes: username, IP address, SGT, endpoint profile. If there are any updates such as recently
authenticated ISE users, or modifications of existing SGT, these changes will occur in real-time due to the Cisco
Firepower Management Center’s topic subscription:
The ISE session information from ISE can be seen under the Firepower Management Center’s user activity screen.
Please note that only IEEE 802.1X user authentication usernames from ISE can be applied to a FMC 6.0 policy and
must exist in the Firepower ISE realm. IEEE 802.1X machine authentication hostnames, or MAC address usernames
cannot by applied to the FMC 6.0 policy.

Cisco Identity Service Engine Dynamic Security Group Tags

Organizations security policies can be defined based on security group tags (SGT). This allows an organization to have
uniform and global security policies across the network. If Cisco TrustSec is enabled on the organization switches,
these security group tags can also be enforced on the network. Typically, security group tags of 2 are given to network
devices such as switches, routers, and firewalls.
In this document, a dynamic SGT of “employee” will be assigned to successfully authenticated end-users belonging to
the Windows user’s domain group. The SGT will then be applied to a Firepower Management access control rule that
will be applied to and enforced by the Firepower NGIPS virtual sensor and ASA with Firepower services.
Please note that additional security group tags can be directly configured from the ISE authorization policy or directly
from ISE via Work Center->TrustSec->Components->Security Groups menu.
Step 1 Create an Employee Security tag
Select Policy->Authorization-> -> and enter the following:
Rule Name: Employee;

New Condition: External Groups:equals:pxGrid_Users
Authorization Profile(s): Employee and Permit Access
Step 2 Select Done

Select Save

Self-Signed Certificate Operation

Self-signed certificate operation is used for POC environments only. This section is optional if you are deploying CA
signed certificates.
Configuring ISE 2.0

Self-signed certificates are used in a POC environment. In this configuration ISE is deployed in standalone
configuration.
Note: The ISE self-signed identity certificate is no longer required to be exported into the ISE certificate trusted store as in ISE 1.3 and ISE 1.4.
Step 1 Select Administration->System->Deployment, select the node->Edit->enable pxGrid
Step 2 Select Save

Step 3 Verify that the published nodes appear under pxGrid Services and there is connectivity.
Administration->pxGrid Services
Note: The published nodes may take a while to appear. Verify that pxGrid services have started by running: sh application status ise on the ISE
VM node.
Step 4 Enable Enable Auto-Registration

Step 5 Verify that you are connected to pxGrid
Creating Firepower ISE Realm

The ISE Realm is used for ISE authentication and will be used in the Firepower Management Center’s 6.0 Identity
Policy.
Step 1 Select System->Integration->Realms->New Realm
Step 2 Select OK
Step 3 Select Add Directory, enter the FQDN hostname or information

Step 4 Select Test, you should see that the: Test Connection has succeeded, select OK
Note: If you see a returned failed attempt, ensure that the directory username and directory password are correct in the Realm Configuration.
Step 5 Select OK
Step 6 Select Save
Step 7 Enable the state by selecting
Step 8 Click->Realm name
Step 9 Click->User Download
Step 10 Enable Download users and groups

Step 11 Highlight all Available Groups select Add to Include

Step 12 Select Save

Step 13 You should see the following:
Configuring Firepower Management Center 6.0

In this section, the Firepower Management Center (FMC) is configured for using self-signed certificates for ISE
pxGrid node operation. An internal FMC certificate authority is created on the Firepower Management Center and
converted into certificate and imported into the Firepower Management Center’s internal certificate store. The internal
FMC public certificate will be exported into the ISE certificate trusted system store. The ISE identity self-signed
public certificate will be imported into the Firepower Management Center Trusted CA store.
Step 1 Select Objects->Object Management->PKI->Internal CAs->Generate CA-> provide the certification
information below:
In this example, FMC60, was the name given to the internal CA

Step 2 Select Generate self-signed CA

Step 3 Download the CA certificate file by clicking on the “pencil” below
Step 4 Select Download
Step 5 Enter encryption password, select OK. In this example, cisco123 was used

Step 6 Save the .p12 file locally
Step 7 Rename the .p12 filename to make it easier to work with. In this example, fmc60.p12 was the renamed file.
Step 8 Use WinSCP or another method to upload the file to the Firepower Management Console
Step 9 SSH to the Firepower Management Console
Step 10 Convert the .p12 file into CER and KEY files, by typing the following commands:
Note: the CER and KEY filenames are random. The original.p12 file was renamed to fmc60.p12. Initially you will be prompted for the sudo
password. The import password, PEM passphrase will be the encryption key password you typed in earlier.

sudo openssl pkcs12 -nokeys -clcerts -in fmc60.p12 -out fmc60.cer

Enter Import Password:
MAC verified OK
admin@sd:~$
sudo openssl pkcs12 -nocerts -in fmc60.p12 -out fmc601.key

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
admin@sd:~$
Step 11 WinSCP was used to copy the fmc60.cer and fmc60.key files from the Firepower Management Center to
the local PC.
Step 12 The Firepower Management internal CA public certificate was exported into the ISE certificate trust store
Select->Administration->System->Certificates->Trusted Certificates->Browse and upload fmc60.cer

Step 13 Enable “Trust for authentication within ISE”, then Submit

Step 14 You will see the following when importing the FMC certificate, select Yes
Step 15 Select Administration->System->Certificates->select the ISE identity self-signed certificates->Export

both public and private key

Note: The file will be saved as Defaultserversignedcerti.zip file. Unzip the file and export only the public certificate the PEM file to the FMC trusted
store. You can also rename the file to ISE2.0.pem to make it easier to work with.
Step 16 Import the ISE self-signed identity cert into the Firepower Management trusted CA store
Select Objects->Object Management->PKI->Trusted CAs->Add Trusted CA->enter the name. In this
example, ISE was used.
Enter the encryption key password for ISE ->OK
Step 17 Import the Firepower Management internal CA public/private key pair into the Firepower Management
Center’s Internal Certs store
Select Objects->PKI->Internal Certs->Add Internal Cert
Follow the same procedure for the private key
Note: Delete Bag Attributes until you get to ----Begin Certificates

Step 18 Delete the Bag attributes for the key file until you are just before “---Begin….”
Step 19 Also delete </no>
Step 20 Enter the encrypted password

Step 22 Select Save

You should see the following:

Configuring Firepower ISE Identity Sources

The Identity Sources Engine configuration defines the ISE pxGrid node connection parameters, ISE MnT node
certificates and FMC 6.0 identity certificate.
Step 1 Select System->Integration->Identity Sources->Identity Services Engine
Primary Host Name/IP Address- primary FQDN pxGrid name or IP address

Secondary Host Name/IP address- secondary FQDN pxGrid name or IP address
*pxGrid Server CA- ISE pxGrid node certificate (imported ISE self-signed identity certificate)
*mnt Server CA- ISE pxGrid node certificate (imported ISE self-signed identity certificate)
MC Server Certificate- identity certificate of FMC (imported internal cert)
Step 2 Select Test

You should see the following

Step 3 Select OK
Step 4 Select Save
Step 5 Select System->Monitoring->Syslog
Note the FMC has successfully connected to the ISE server
Step 6 You should see the following in ISE

CA (Certificate Authority)- Signed Certificate Operation

This section provides configuration details for deploying ISE 2.0 and Cisco Firepower Management Center 6.0 in an
ISE stand-alone environment. This section is optional if you are deploying self-signed certificates.
Customized pxGrid Template for CA-Signed Operation

A customized pxGrid template having an Enhanced Key Usage (EKU) of both client authentication and server
authentication is required for pxGrid operation between the pxGrid client, the Firepower Management Center and the
ISE pxGrid node. This is required for a Certificate Authority (CA)-signed environment where both the Firepower
Management Center and the ISE pxGrid node are signed by the same CA.
Step 7 Select Administrative Tools->Certificate Authority-> “+” dropdown next to CA server->Right-Click
on Certificate Templates->Manage
Step 8 Right-Click and Duplicate User template->Select->Windows 2003 Enterprise->OK

Step 9 Enter name of certificate template, uncheck “Publish certificate in Active Directory”, and provide validity
period and renewal period.
Step 10 Click on Extensions->Add->Server Authentication->Ok->Apply

Step 11 Click on Subject name, Enable Supply in request
Step 12 Click on Extensions->Issuance Policies->Edit->All Issuance Policies

Step 13 Leave the defaults for request handling
Step 14 Right-click on Certificate templates

Step 15 Select->New Template to issue and select pxGrid

Step 16 You should see the pxGrid template

Configuring ISE 2.0

The ISE pxGrid node is configured for a Certificate Authority (CA) signed environment in a stand-alone configuration.
Initially, a “pxGrid” CSR request is generated from the ISE node and signed by the CA server using the pxGrid
customized template. The certificate will be bound to the initial ISE CSR request.
The CA root certificate will be imported into the ISE certificate trusted store. The ISE identity certificate will be
exported in the ISE certificate system store. The ISE node will be enabled for pxGrid operation.
Step 1 Generate a CSR request for the ISE node which will become the ISE pxGrid node
Administration->System->Certificates->Certificate Signing Requests->Generate
Note: The certificate usage should be admin. This is required for FMC 6.0 for active bulk download sessions
Step 2 Copy/paste the CSR information into Request a certificate->Advanced certificate request selecting the
customized pxGrid template, then Submit
Step 3 Download the CA root in base-64 encoded format

Step 4 Upload the CA root into the ISE certificate trusted system store
Select->Administration->System->Certificates->Trusted Certificates->upload the CA root certificate
Step 5 Enable “Trust for authentication within ISE, then Submit
Step 6 Upload the ISE pxGrid node certificate into the ISE certificate system store
Select Administration->System-Certificate Signing Requests and Bind certificate to the CSR request

Step 7 Select Administration->System->Certificates->Certificate Management->Certificate Signing

Request->Generate Certificate Signing Requests (CSR)->Admin for certificate usage
Step 8 Select Node
Step 9 Select DNS name for the Subject Alternative Name (SAN) and add the DNS name
Step 10 Select Generate

Step 11 Select Export
Step 12 Open the pem file and copy/paste the csr request into the customized pxGrid template

Step 13 Paste into Request a Certificate->Advanced Certificate Request, select customized pxGrid template-
>Submit
Step 14 Select Submit

Step 15 Download certificate in base 64 encoded format
Step 16 Download CA root certificate in Base 64 format

Step 17 Administration System->Certificates->Certificate Management->Trusted Certificates->Import the

root certificate
Step 18 Enable Trust for authentication within ISE
Step 20 Select Administration->Certificates->Certificate Management->System Certificates->Certificate

Signing Requests->select CSR request->Bind Certificate
Step 21 Upload the ISE CA-signed identity certificate


Step 23 Select Yes, when you see the following message:
Step 24 Select YES, when you see the following message
Step 25 You will see that the system will be restarting and will take you back to the GUI

Step 26 Select Administration->System->Deployment->edit the Hostname->enable pxGrid
Step 27 Select Save

Step 28 Select Administration->pxGrid Services, verify that you see the published services
Note: This may take a few seconds to appear, verify that the pxGrid services are initializing by running “sh application status ise” on the ISE VM
Step 29 Enable Enable Auto Registration
Step 30 Verify that you are connected to pxGrid

Creating Firepower ISE Realm

The ISE Realm is used for ISE authentication and will be used in the Firepower Management Center’s 6.0 Identity
Policy.
Step 1 Select System->Integration->Realms->New Realm
Step 2 Select OK
Step 3 Select Add Directory, enter the FQDN hostname or information
Step 4 Select Test, you should see that the: Test Connection has succeeded, select OK
Note: If you see a returned failed attempt, ensure that the directory username and directory password are correct in the Realm Configuration.
Step 5 Select OK
Step 6 Select Save
Step 7 Enable the state by selecting

Step 8 Click->Realm name
Step 9 Click->User Download
Step 10 Enable Download users and groups

Step 11 Highlight all Available Groups select Add to Include
Step 12 Select Save


Configuring Firepower Management Center 6.0

The Firepower Management Center (FMC) is configured for Certificate Authority (CA)-signed operation. The
Firepower Management Center private key and CSR request are created from the Firepower Management Center
console (FMC). The CA server signs the CSR request and provides the FMC identity certificate using the customized
pxGrid template.
Both the FMC certificate and FMC key are uploaded into FMC internal certs store. The CA root certificate is
uploaded into the FMC trusted CA store.
Step 1 Generate a Firepower private key
Note: the password here will be defined in the pxGrid agent configuration
openssl genrsa –des3 –out sourcefire.key 4096
Step 2 Generate a CSR request

Note: you will be prompted for a password; this will be the same password as you entered previously
openssl req –new –key sourcefire.key –out sourcefire.csr
Step 3 Use WinSCP to copy sourcefire.csr and sourcefire.key file from the Firepower Management Center (FMC)
locally to the PC
Step 4 Open the CSR request using editor copy the CSR request

Step 5 Paste FMC CSR request into Request a certificate->Advanced User request using the customized pxGrid
template, then submit. Download the certificate in base-64 encoded format

Step 7 Download the certificate in base 64-format
Step 8 Download the CA root certificate in base-64 encoded format

Step 9 Upload the CA root cert into the Firepower Management trusted CA store
Select Objects->PKI->Trusted CAs->Add Trusted CA-> provide a name and upload root CA cert,
then Save
Step 10 Upload the Firepower Management center public certificate and private key to the FMC internal cert store
Select Objects->PKI->Internal Certs->add the Sourcefire CER file and Sourcefire KEY files and
password, then Save

ISE Identity Sources CA-Signed Certificate Configuration

The Identity Sources Engine configuration defines the ISE pxGrid node connection parameters, ISE MnT node
certificates and FMC identity certificate. Note that this configuration will be for a CA-signed environment for an ISE
stand-alone environment.
Step 1 Select System->Integration->Identity Sources->Identity Services Engine
Primary Host Name/IP Address- primary FQDN pxGrid name or IP address

Secondary Host Name/IP address- secondary FQDN pxGrid name or IP address
*pxGrid Server CA- root CA-signed both ISE pxGrid node and FMC
*mnt Server CA- root CA-signed both ISE pxGrid node and FMC
MC Server Certificate- CA-signed identity certificate of FMC
*CA Signed Environment

Step 2 Select Test

You should the following:
Step 3 Select Save
Step 4 You should see the following on the ISE pxGrid node
Select Administration->pxGrid Services

The FMC has successfully registered to the ISE pxGrid node and subscribed to the EndPointProfileMetada,
SessionDirectory and TrustsecMetaData capabilities.

Firepower Management Center

Enabling Network Discovery
Enabling Network discovery provides user identity information
Step 1 Select Policies->Network Discovery->Edit Rule by clicking

Step 2 Enable Users
Step 3 Select Save

ISE Identity Policy

The ISE Identity policy is used in the Firepower Management center’s default access control policy to allow passive ISE
authentication.
Step 1 Select Policies->Access Control->Identity->New Policy->New Identity Policy->provide a name->Save


Step 2 Select Add Rule

Step 3 Enter Name: ISE Authentication
Step 4 Enter Action: Passive Authentication
Step 5 Select Realm, then Add, select the ISE realm you defined earlier
You should see the following below
Step 6 Save the changes
Default Access Control Policy

The default access control policy contains the ISE identity policy, the transport/network layer/preprocessor settings to
block transactions, access control rules and Firepower Management Center’s intrusion policies.
Adding ISE Identity Policy

Add the ISE identity policy to the default access policy
Step 1 Select Policies->Access Control->edit the default access policy

Step 2 Click None -> Identity Policy select ISE from the drop-down menu
Step 3 Select Save
Transport/Network Layer Preprocessor Settings

These settings were modified to for blocking traffic enforced by the Firepower managed intrusion policy.
Step 1 Edit the Transport/Network Layer/Preprocessor Settings
Step 2 Provide the following settings

Step 3 Select ->Ok
Adding Block Response Page

The system-provided block response page will be added to the blocked web categories based on Firepower
Management Center’s access control policy.
Step 1 Select HTTP Responses, and provide the following settings for the response pages
Step 2 Save the changes

Step 3 Select Deploy, and deploy the changes to the sensor

Step 4 Select the Deploy status bar to see the progress
Create Employee SGT tag Access Control rules

An Employee SGT access control policy will be created simulating an organization’s acceptable usage policy.
This acceptable usage policy will deny users access to gambling sites, hacking sites, streaming media, social media and
peer-to-peer applications.
Step 1 Select Policies->Access Control->Access Control->Rules, edit clicking on
Step 2 Select->Add Rule, enter name: Deny Employee SGT Access->action->Block->IPS->pxGrid intrusion
policy->URLs->Category>Gambling, Peer-to-Peer, Streaming Video, Hacking->Add to Rule

Step 3 Select ISE Attributes->Available ISE session attributes->Security Group Tag->Available Metadata-
>Employees->Add to rule
Step 4 Select Logging and configure the following settings
Step 5 Select OK

Step 6 Select Save

Step 7 Deploy the changes to the sensor
Select Deploy->sensor->Deploy
Step 8 Click on , to see Task Status, and verify that the operation has succeeded.
Firepower pxGrid Intrusion Policy

The pxGrid Intrusion Policy is created and deployed to the Firepower NGIPS virtual sensor. This policy contains
“SERVER IIS CMD.EXE access” rule, when the end-user types in: www.yahoo.com/cmd.exe in their browser, this
will trigger an intrusion event that will be dropped in line and event generated to the Firepower Management Console
under Analysis Intrusion Events. In this document, the pxGrid intrusion policy will also centrally manage the ASA
with Firepower Services.
In this document, this policy will also be created on-box via ASDM with ASA with Firepower services.
Step 1 Select Policies Intrusion->Intrusion Policy->Create Policy->pxGrid_Intrusion_Policy, enable Drop
when Inline

Step 2 Click Create Policy
Step 3 Edit the policy by clicking on
Step 4 Click on Rules->filter: iis cmd exe and select the following
Step 5 Click Rule State->Drop and Generate Events->OK


Step 6 Next filter on: win gen buffer overflow and select->OS-Windows Generic Hyperlink BufferOverflow
Attempt
Step 7 Rule State->Drop and Generate Events->OK
Step 8 Click Policy Information
Step 10 Select Commit Changes

Step 11 Click OK

Step 12 Select Deploy, the sensor, and Deploy again

Step 13 Select Policies->Access Control->Intrusion Access Control, you should see the following:
Step 14 Select Policies->Access Control->Access Control

You should see the default access policy
Step 15 Edit the default access policy by clicking on
Step 16 Under Default actions, from the dropdown select the pxGrid_Intrusion_Policy

Note: you may be prompted to add access control policies. These will be added later on based on the Employee SGT
Step 17 Click Save
Step 18 Edit the SGT Access control policy to include the pxGrid Intrusion Policy
Step 19 Click on Logging, by clicking on
Step 20 Configure the following settings->OK
Step 21 Click Save

Step 22 Click Deploy, select the device
Step 23 Select Deploy
Step 24 Click on , to see Task Status
Note: Click on Task Status to see deployment cycle status
You should see deployment to the sensor as successful

Testing User with Employee SGT via Firepower Virtual

Sensor
In this use case, the end-user is assigned an Employee SGT and received the Firepower Management Center’s access
control policy, denying SGT tagged employees access to hacking sites, gambling sites, peer-to-peer applications,
streaming media applications. Also the intrusion policy is enforced and access to compromised web servers are
denied.
The end-user successfully authenticates via IEEE 802.1X and is assigned an Employee SGT as shown below
Firepower Management Center 6.0 obtains the ISE session information and displays the information in the User
Activity Screen
Note the ISE session attributes: username, security group tag, endpoint profile and endpoint location. The security
group tag attribute was used to create a FMC access control policy.

The end-user opens their browser and accesses poker.com. Note the blocked transaction and the Firepower
Management Center displayed page.
The end-user opens their browser and wants to download pwdump7.
The end-user is redirected to the web page and is denied access

The end-user attempts to access bittorrent and is denied access.
The end-user inserts cmd.exe into the website to simulate a compromised web server and is denied access
Just to prove that all is well. The end-user can access a valid website

The end-user tries to join a hacking club and is denied access
When the end-user attempts to join the hacking club he is denied access
When the end-user attempts to access www.youtube.com he is denied

On the Firepower Management Center Access Controlled User Statistics Dashboard, you can view the denied
connections from the user iskiber
If you click on denied connections by iskiber, note the denied URL categories. These denied categories represent the
URL categories as defined in the “Deny Employee SGT Access” Firepower Management Center’s access control rule

Below is a screen continuation

ASA with Firepower Services

In this document an ASA 5506W was used for testing. The ASA Firepower (sfr) module was installed and was tested
in the following:
- Managed Firepower pxGrid Intrusion policy and Employee SGT access control rule
- On-Box managed Firepower pxGrid Intrusion policy and Employee SGT access control rile.
Using Centralized Firepower Management Center Policy

Here we install the ASA Firepower (sfr) module. Once configured we will register the ASA to the Firepower
Management Console where the ASA will enforce the managed Cisco Firepower policy.
Note: Please make sure you install either smart or classic license for the managed ASA with Firepower services.
ASA Firepower (sfr) Installation and registering to Firepower Management Center

Step 1 Download ASDM 7.5.2, and ASA 9.5.2 and upload them to ASA
Step 2 Install the ASA Firepower module
ciscoasa# sw-module module sfr recover configure image disk0:/asasfr-5500x-6.0.0.img
Step 3 Turn on debugging, this will make it easier if error messages occur
ciscoasa# sh debug
ciscoasa# debug module
Step 4 Load the ASA Firepower boot image
ciscoasa# sw-module module module sfr recover boot
Step 5 Wait approximately 5-15 minutes for the ASA Firepower to boot up, open a console session to the now-
running ASA Firepower boot image. You may press enter a couple of times and type the following
ciscoasa# session sfr console

Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL_^X’.
Cisco ASA SFR Boot Image 5.3.1

asasfr login:admin
Password: Admin123

Step 6 Install the software system image using the system install command, ftp was used in the following
example:
asa-boot>system install http://jeppich:[email protected]/asasfr-5500x-6.0.0.img
The system will go down for a reboot when complete. This may take awhile for sfr to come up; it may take
longer than 30 minutes as was the case with my ASA 5506. Check by typing the following
sh module sfr
You should see the module as up, if it is still in the recover state, the module is still installing
Step 7 Open a session to the ASA Firepower module
ciscoasa# session sfr console

Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL- ^X’.
Sourcefire3D login: admin

Password: Admin123
Step 8 Read and accept the EULA and complete the system configuration
Step 9 Add the ASA Firepower services to the Firepower Management 6.0
> configure manager add (ip address of Cisco Firepower Management Console) password
Step 10 Ensure that you have the proper licenses installed for the ASA
Step 11 Add ASA Firepower device to the Firepower Management Center 6.0 and enter the device information and
enable the license
Select Devices->Device Management->Add->Add Device
Step 12 Select Register

Step 13 After the ASA Firepower has successfully registered you should see the following:
Testing User with Employee SGT from managed Firepower Management Policy
Here we test the FMC 6.0 policy we created for an end-user tagged as employee. The end-user is tagged as having an
Employee SGT after a successful 802.1X authentication based on the ISE authorization policy.
The end-user opens their browser and accesses www.youtube.com and is denied access
On the Firepower Management Center, s elect Analysis->Connection->Events to see the details of blocked
transactions

Continuation of screen below note that we see www.youtube.com
On Firepower Management center, select Overview->Dashboards->Access Controlled User Statistics and click on
Denied Connections by User for pxGrid
You will see the blocked connection events for www.youtube.com

On-Box Firepower Policy Management

This section provides details for on-box management for the ASA with Firepower services via ASDM. Please note
that you will need separate licenses for the on-box ASA using Firepower policies via ASDM. Also the ASA with
Firepower services was configured for a CA-signed environment.
Delete the ASA from the Firepower Management Center 6.0

Step 1 Delete the ASA5500 device from the Firepower Management Center 6.0
Select Devices->Device Management->Delete the ASA 5500 Sensor by clicking on
Note: If your ASA device has not been deleted from FMC 6.0, the ASDM will not be able to see the ASA Firepower Configuration Details. This will
require a separate set of licenses for on-box registration
ISE Realm Configuration

Here we configure the ISE Realm on ISE
Step 1 Select ASA Firepower Configuration->Realms

Step 2 Select New Realm, enter the realm configuration details
Step 3 Select OK, enable the Realm by clicking State
Step 4 Select Add Directory, enter the information below
Step 5 Select Test, you should see operation succeeded
Step 6 Click User Download->enable Download users and groups->Download Now->Add to Include
Step 7 Click Store ASA Firepower Changes

ISE Identity Sources Configuration

The identity sources configuration contains the connection parameters between the ASA with Firepower services and
the ISE pxGrid node. Please note that the ASA has a signed CA-signed certificate. Please refer to CA-signed operation
if you are not familiar with the certificate installation
Step 1 Select ASA Firepower Configuration Changes->Identity Sources
Step 2 Select Identity Services Engine, and provide the ISE pxGrid configuration below:
Note: Please provide the proper certificate information for self-signed or CA-signed certificates
Step 3 Select Test, to verify connectivity to the ISE pxGrid node, you should see

Step 4 You should see that the ASA Firepower has successfully registered as a pxGrid client
Select Administration->pxGrid Services
Step 5 If there you have an unsuccessful attempts,

Step 6 Select Monitoring->ASA Firepower Monitoring, this should provide some details
Note: Failures are mostly due to certificate issues
ISE Identity Policy

The ISE Identity Policy will be configured for passive authentication and will be used in the Firepower Management
Center default access control rule for ISE authentication.
Step 1 Select ASA Firepower Configuration->Policies->Identity Policy
Step 2 Click Add Rule, enter name->Passive Authentication->Realm

Step 3 Select Store ASA Firepower Changes

Step 4 Select Deploy->Deploy Firepower Changes->Deploy-Ok
Adding ISE Identity Policy

The ISE identity policy is added to the Firepower Management Center’s default access policy
Step 1 Select ASA Firepower Configuration->Policies->Access Control Policy
Step 2 Select ASA Firepower->Add Rule->Identity Policy->None, select Default Identity Policy from the
drop-down
Step 3 Select OK
Transport and Network Layer Preprocessor Settings

These settings have been modified to block network access based on the Firepower intrusion policy.
Step 1 Click Advanced->Transport/Network Layer Preprocessor Settings , provide the following

settings:

Step 2 Select OK
Adding Block Response Page

The system-provided block response page has been added as a blocked response to the Firepower access control file.
Step 1 Click HTTP Responses, and provide the following:
ASA Create Employee SGT Access Control Rules

These Employee SGT tag access control rules set a corporate acceptable usage policy denying access to: hacking sites,
streaming media, peer-to-peer applications, malware and gambling sites
Step 1 Select ASA Firepower Configuration->Access Control Policy->ASA Firepower-Add rule
Step 2 Select Add Rule, enter name: Deny Employee SGT Access->action->Block with reset->IPS->pxGrid
intrusion policy->URLs->Category>Gambling, Peer-to-Peer, Streaming Video, Hacking->Save

Step 3 Select ISE Attributes->Available ISE session attributes->Security Group Tag->Available Metadata-
>Employees->Add to rule
Step 4 Select Logging and configure the following settings

Step 5 Select Save
Step 6 Select Save

Step 7 Select store ASA Firepower changes
Step 8 Select Deploy->Deploy Firepower changes->Deploy-OK
Step 9 Select Monitoring->ASA Firepower Monitoring->Task Status to view deployment status

ASA FirePOWER pxGrid Intrusion Policy

In this section, the pxGrid Intrusion Policy is created and deployed to the Firepower sensor. This policy contains
“SERVER IIS CMD.EXE access” rule, when the end-user types in: www.yahoo.com/cmd.exe in their browser, this
will trigger an intrusion event that will be dropped in line and event generated to the Firepower Management Console
under Analysis Intrusion Events
Step 1 Select ASA Firepower Configuration->Intrusion Policy->Create Policy and configure the following:
Step 2 Click Create Policy

Step 3 You should see the following
Step 4 Edit the policy by clicking on
Step 5 Click on Rules->filter: iis cmd exe and select the following

Step 6 Click Rule State->Drop and Generate Events->OK

Step 7 Next filter on: win gen buffer overflow and select->OS-Windows Generic Hyperlink BufferOverflow
Attempt
Step 8 Rule State->Drop and Generate Events->OK
Step 9 Click Policy Information to commit changes
Step 10 Click->Commit Changes->Ok

Step 11 You should see the following

Step 12 Add pxGrid intrusion policy to default access control policy

Select->ASA Firepower configuration->Policies->Access Control Policy->Intrusion Prevention:pxGrid
intrusion policy from the drop-down
Step 13 Configure logging, by selecting
Step 14 Configure the following logging settings
Step 15 Click OK
Step 17 Click Deploy->Deploy Firepower Changes->Deploy->OK
Step 18 Click Monitoring->ASA Firepower Monitoring->Task to view the deployment status

Testing User Employee SGT Using On-Box Firepower

Management Policy
The employee has successfully authenticated to ISE and received an Employee SGT.
We see that Firepower Management Center has obtained the user session
Note that when the employee accesses www.poker.com he is denied
When the employee accesses www.bittorent.com he is denied

When the employee tries to join a hacking club www. hackersonlineclub.com he is denied
Also when he tries to insert www.msn.com/cmd.exe into his browser, he is denied access.

You can view the report on the ASA Firepower Reporting. Note the denied web category transactions and the server
IIS- Web signature that fired.
If you click under Threat reports note the signature for SERVER-IIS

If you select Reports by users, and click on jeppich
You will see the top transactions, web categories, and applications
You also have reports to view Applications

You can also view reports based on policy
and policy hits


Troubleshooting
ISE pxGrid Node
pxGrid published nodes do not appear and there is no pxGrid connectivity
• If using self-signed certs with ISE 1.3/1.4, make sure that you have export the ISE self-signed Identity
certificate into the ISE system trusted store, before enabling pxGrid.
• If use CA-signed certs ensure that the customized pxGrid template has an EKU of both server authentication
an client authentication, before enabling pxGrid
• If deploying pxGrid in a productional environment and the dedicated ISE pxGrid node has its public/private
key pair imported into the PPAN and PMNT nodes. If pxGrid-Active Standby is implemented, the secondary
pxGrid nodes should have a public/private key imported into the secondary SPAN and secondary SMNT
nodes.
Only on pxGrid node can be active, run application status ise to ensure that the ISE pxGrid node is the active
one.
• power down/up ISE Run application stop ise/application start ise. You may also disable pxGrid from the
ISE node, before stopping the ISE service; Once ISE is back up enable for pxGrid.
• Downloaded certificates should be in base 64 encoded format
Firepower Management Center 6.0

System Integration ISE certificate test fails
• If using ISE 1.3/1.4 in a stand-alone POC environment using self-signed certs and if you have not set as
primary, there is a known bulk download session bug that can resolve FQDN issue. Promote to primary to
resolve. This is not an issue with ISE 2.0
• If using ISE in a stand-alone environment for CA-signed cert operation, make sure the purpose of the CSR
request is admin and NOT pxGrid. This is required for active bulk download record sessions.
• For CA-signed operation:
• For self-signed operation:
• FMC 6.0, ISE pxGrid node, devices should be all DNS resolvable
Not Seeing Correlation Events from ISE

• Ensure time is synced between FMC and ISE. Time should also be synced between the FMC and all the
registered devices
ASA with Firepower Services

Cannot Modify registered ASA device parameters on Firepower Management Center
• Ensure you have the proper device licenses for the proper ASA model on the Firepower Management center

SFR is still in the recovery state

• Re-run SFR installation, this takes awhile. On my ASA 5506 it took over 30 minutes. Run sh module sfr to
ensure that is up
No traffic on ASA Firepower reports

• Configure all traffic to the ASA Firepower Services
• Below is a sample configuration
ciscoasa# conf t
ciscoasa(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

!
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# sfr fail-open
ciscoasa(config-pmap-c)#
ciscoasa(config-pmap-c)# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 5531, lock fail 0, drop 0, reset-drop 0, 5-min-
pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0

Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0
pkts/sec, v6-fail-close 0 sctp-drop-override 0

Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0,
5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0

tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5
-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0

Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-
min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0

Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: netbios, packet 15, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-
drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0

Class-map: class-default
Default Queueing SFR: card status Up, mode fail-open

packet input 250, packet output 250, drop 0, reset-drop 0
ciscoasa(config-pmap-c)

ciscoasa(config-pmap-c)# sh service-policy sfr
Global policy:
SFR: card status Up, mode fail-open
ciscoasa(config-pmap-c)# sh service-policy sfr
Global policy:
SFR: card status Up, mode fail-open

Solution Caveats
pxGrid & Identity Mapping Service Restart
Description: pxGrid & Identity mapping service restart on ISE pxGrid node when ever a cert is imported/deleted from
the trust store of ISE deployment
Defect filed: CSCuv43145
Work around: None needed as the service will be automatically restarted but while the service is in the restart state
new quarantine events will not be processed.
Resolution plan: ISE Carlsbad release spring 2016
Active pxGrid Node is Not Reflected in the GUI; It is Reflected in CLI

Description: When two pxGrid nodes are available in a pxGrid HA deployment, one is active and the other is standby.
Identifying which is active, and administrator needs to review the pxGrid status in the CLI. The status is not visible in
the UI Deployment page. This addition will be made in Carlsbad.
Work around: Use the CLI to determine active/passive status
Resolution plan: ISE Carlsbad release spring 2016


References
Configuring pxGrid in a Distributed ISE Environment:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-88-Configuring-pxGrid-in-an-ISE-Distributed-
Environment.pdf
How-To Deploying Certificates with Cisco pxGrid: Configuring CA-Signed ISE pxGrid Node and CA-Signed pxGrid
client: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-89-
CA_signed_pxGridISEnode_CAsigned_pxGridclient.pdf
How-To Deploying Certificates with Cisco pxGrid: Self-Signed Certs with ISE pxGrid Node and pxGrid client:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-90-
Self_signed_pxGridClient_selfsigned_pxGrid.pdf
Cisco Firepower Management Center 6.0 Configuration Guide
http://www.cisco.com/c/en/us/td/docs/security/Firepower/60/configuration/guide/fpmc-config-guide-v60.html

How-To Firepower ISE PxGrid

Uploaded by

Copyright:

Available Formats

How-To Firepower ISE PxGrid

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How-To Firepower ISE PxGrid

Uploaded by

Copyright:

Available Formats

How to Integrate Cisco Firepower Management

Center 6.0 With ISE and TrustSec Through pxGrid

Cisco Systems © 2016 Page 2

Cisco Systems © 2016 Page 3

About This Document

Cisco Systems © 2016 Page 4

Solution Introduction Cisco Management Center 6.0 with

Cisco Firepower Management Center 6.0

Cisco Systems © 2016 Page 5

Cisco Identity Service Engine (ISE)

Cisco Systems © 2016 Page 6

The function of these topics are:

SecurityGroup : id=150138d0-cfc7-11e3-9e0e-000c29e66166, name=Engineering, desc=, tag=3

• EndpointProfileMetadata which provides ISE endpoint policy information such as changes/modifications to

Endpoint Profile : id=886f7570-bd0c-11e3-a88b-005056bf2f0a, name=Apple-iDevice, fqname Apple-Device:Apple-

session (ip=192.168.1.14, Audit Session Id=0A0301030000001E00FEBAD7, User Name=jsmith, Domain=lab4.com,

Cisco Systems © 2016 Page 7

Cisco Systems © 2016 Page 8

Cisco Identity Service Engine Dynamic Security Group Tags

Step 1 Create an Employee Security tag

Select Policy->Authorization-> -> and enter the following:

Rule Name: Employee;

Step 2 Select Done

Cisco Systems © 2016 Page 9

Self-Signed Certificate Operation

Configuring ISE 2.0

Step 1 Select Administration->System->Deployment, select the node->Edit->enable pxGrid

Step 2 Select Save

Step 4 Enable Enable Auto-Registration

Cisco Systems © 2016 Page 10

Step 5 Verify that you are connected to pxGrid

Creating Firepower ISE Realm

Cisco Systems © 2016 Page 11

Step 7 Enable the state by selecting

Step 8 Click->Realm name

Step 9 Click->User Download

Step 10 Enable Download users and groups

Cisco Systems © 2016 Page 12

Step 12 Select Save

Configuring Firepower Management Center 6.0

Cisco Systems © 2016 Page 13

Step 2 Select Generate self-signed CA

Step 4 Select Download

Cisco Systems © 2016 Page 14

Step 6 Save the .p12 file locally

Step 9 SSH to the Firepower Management Console

Cisco Systems © 2016 Page 15

sudo openssl pkcs12 -nokeys -clcerts -in fmc60.p12 -out fmc60.cer

sudo openssl pkcs12 -nocerts -in fmc60.p12 -out fmc601.key

Cisco Systems © 2016 Page 16

Step 13 Enable “Trust for authentication within ISE”, then Submit

Step 15 Select Administration->System->Certificates->select the ISE identity self-signed certificates->Export

Cisco Systems © 2016 Page 17

Cisco Systems © 2016 Page 18

Step 19 Also delete </no>

Step 20 Enter the encrypted password

Step 22 Select Save

Cisco Systems © 2016 Page 19

Configuring Firepower ISE Identity Sources

Primary Host Name/IP Address- primary FQDN pxGrid name or IP address