View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0222 - ISE 2.0 pxGrid with ASA Firepower (Part 1)

Rating: 
5
Average: 5 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video shows a functional integration of ASA Firepower with ISE 2.0 pxGrid service. We will have the Firepower join pxGrid using certificate-based authentication and subscribe for user contextual information. We will create and test Firepower access policies to restrict user traffic based on their AD group membership and assigned Security Group Tag. 
 
Part 1 of this video covers pxGrid configuration and certificate generation on ISE
 
 
 
Topic:
  • pxGrid Certificate Generation (ISE and Firepower)
  • ISE pxGrid Configuration
  • Firepower Identity Policy
  • Firepower Access Control Policy
  • Security Group Tag (SGT)
  • SGT Exchange Protocol (SXP)

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

13 comments

HI i have four nodes deployment , two admin/monitor and two PSNs , i have enabled the PIX grid on both the PSNs , but when i navigate to PixGrid service i find no nodes there with a note below the page saying "No connectivity to pxGrid node" , also when i try to go to setting and enable automatic approve new account , i get the below error message
"Failed to update Grid settings on the server"
any ideas
BR

There are a few thing you can check/try.

1. Make sure you have PLUS license installed

2. Disable pxGrid, restart server and re-enable pxGrid.

3. Import pxGrid1 cert to Primary AM, and pxGrid2 cert to Sec AM as trusted cert.

4. Apply latest Patch

5. Search for ISE bugs

Hi
Thanks , i will try and feedback
BR

It worked , but it needed to be activated on the Admin node

Strange. Cisco recommends having pxGrid controller runs on PSN but it that works for you, that should be ok.

Hi but now the status of the Pxgrid client is offline
any ideas
BR

Can you go through troubleshooting step in the earlier post? 

When I initially configured my FMC 6.2 and migrated ASA5508X to FTD I used an old domain name. I created a new domain and changed my FMC FQDN to match it. When I configure pxGrid and test. The Firesightisetest client name shows the correct FQDN but the iseagent client still uses the old FQDN and fails. Where does it get the iseagent FQDN (FMC or Sensor) so that I can change it to the correct FQDN?

Dennis

Did you reload the FMC after the change? What is the CN of the cert FMC uses to authenticate pxGrid?

Reboot corrected the FQDN. The test still fails

Primary host:
test: ISE connection.
Preparing ISE Connection objects...
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: pxgrid connection init done successfully
Preparing subscription objects...
Connecting to ISE server...
Beginning to connect to ISE server...
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: _reconnection_thread starts
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: connecting to host 10.1.16.25 .......
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: stream opened
Starting SSL Handshake, SSL state:before/connect initialization
Completed SSL Handshake, SSL state: SSL negotiation finished successfully
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: EXTERNAL authentication complete
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: authenticated successfully (sasl mechanism: EXTERNAL)
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: pxgrid_connection_connect: Connected. host=10.1.16.25
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: Controller version: 2.0.0.7
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: Account approved
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: successfully subscribed
Captured Jabberwerx log:2018-02-22T15:35:38 [ INFO]: successfully subscribed
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: successfully subscribed
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: successfully subscribed
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: _on_connect called
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: successfully subscribed
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: successfully subscribed
Queried 1 bulk download hostnames:vtsise.vts-group.local:8910
...successfully connected to ISE server.
Starting bulk download
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://vtsise.vts-group.local:8910/pxgrid/mnt/sd/getSessionListByTime'
Starting SSL Handshake, SSL state:before/connect initialization
Completed SSL Handshake, SSL state: SSL negotiation finished successfully
Sending SSL alert:close notify
Captured Jabberwerx log:2018-02-22T15:35:39 [ ERROR]: curl_easy_perform() failed: (51) SSL peer certificate or SSH remote key was not OK at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240
bulk download iter next failed REST errorSSL peer certificate or SSH remote key was not OK
Failed to validate bulk download.
disconnecting pxgrid
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: _reconnection_thread exits
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: stream closed; err_dom=(null)
2018-02-22T15:35:39 [ INFO]: _on_disconnect called
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: Event loop exit. status=1
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: destroying client ...
Captured Jabberwerx log:2018-02-22T15:35:39 [ INFO]: pxgrid_connection_disconnect completes

Make sure ISE pxGrid cert is valid, and FMC trust the signing CA and vice versa

How did you create the LM-PXGRID Certificate Template in MS CA Cert Server? If it is in another video, please can you direct me to that video so that I may see how it's done? Or if it is a link to a website or something?

Thank you!

We do not have a specific video for that. You can simply copy the web server cert template and add Client and Server Authentication Key usage.

Poll

Vote for the Next Video Series