Connect Cisco ISE and Cisco pxGrid Cloud

This topic describes how to set up and complete the integration between Cisco Identity Services Engine (Cisco ISE) and Cisco pxGrid Cloud.

Table of Contents

• About Cisco pxGrid Cloud
• Terminology
• Prerequisites
• Enable pxGrid Cloud Service in Cisco ISE
• Create an Account in the Cisco DNA - Cloud Portal
• Subscribe to an Offer
• Register Cisco ISE with Cisco pxGrid Cloud
• Onboard Cisco ISE with Cisco pxGrid Cloud

About Cisco pxGrid Cloud

Cisco pxGrid Cloud is a cloud-based solution that enables you to share contextual information between on-premises applications such as Cisco ISE and cloud-based solutions such as Cisco Secure Access without compromising the security of your network. It is secure and customizable, enabling you to share only the data that you want and consume only the contextual data that is relevant to your application.

Cisco pxGrid Cloud offers the following benefits:

• Plug-and-play deployment without requiring infrastructure changes to your network.
• Cisco ISE as a single source of truth for endpoint identity by delivering consistent context exchange with on-premise and cloud partners.
• Enrichment of Software as a Service-based (SaaS-based) security analysis with real-time endpoint context from Cisco ISE.
• Threat containment by isolating endpoints from the network through actions initiated from the security SaaS solutions.

Cisco pxGrid Cloud Terminology

The following are some of the common terms that are used in the Cisco pxGrid Cloud solution and their meaning in the Cisco pxGrid Cloud environment:

• Offer—A set of capabilities packaged together and offered as a solution.
• Subscription—An instance of an offer being consumed by a tenant is a subscription.
• App—You can create and register applications for your product based on your requirements. For example, you can create an app that can retrieve the session and endpoint data from Cisco ISE.
  Applications with a cloud offering can be onboarded to Cisco pxGrid Cloud. After an application is onboarded, you can share data between your Cisco ISE deployment and the application.

Prerequisites

• Complete information about Cisco pxGrid Cloud and Cisco ISE Integration can be found in the Cisco pxGrid Cloud Solution Guide.
• Ensure that you have installed and activated the Advantage license in your Cisco ISE deployment.
• The pxGrid Cloud agent creates an outbound HTTPS connection to Cisco pxGrid Cloud. Therefore, you must configure Cisco ISE proxy settings if the customer network uses a proxy to reach the internet. To configure proxy settings in Cisco ISE, navigate to Administration > System > Settings > Proxy.
• Ensure that port 443 is open for outbound connection from Cisco ISE to Cisco pxGrid Cloud portal. If firewall or proxy settings are configured, ensure that the following URLs are not blocked:
  • https://dna.cisco.com
  • https://pxgridcloud.cisco.com
• You must have administrator privileges to Cisco ISE and Cisco pxGrid Cloud to perform the activation.
• Cisco pxGrid Cloud was introduced with ISE 3.1 Patch 3. It is generally recommended to use the latest patch for your ISE release.

Enable pxGrid Cloud Service in Cisco ISE

1. In the Cisco ISE GUI, click the Menu icon and choose Administration > System > Deployment.
2. Click the node on which you want to enable the pxGrid Cloud service.
3. In the General Settings tab, enable the pxGrid service.
4. Check the Enable pxGrid Cloud check box.
   The pxGrid Cloud service can be enabled on two nodes to enable high availability.

Note: You can enable the pxGrid Cloud option only when the pxGrid service is enabled on that node.

Create an Account in the Cisco DNA - Cloud Portal

1. Navigate to dna.cisco.com .
   If you already have a Cisco account, skip to Step 4.

   

2. If you do not have a Cisco account, click Create a New Account.

3. Enter the required details in the Create Account window and click Register.
   A verification email is sent to the email account that you entered in the Create Account window. To finish signing in, check your verification mail.

4. Log in to the Cisco DNA - Cloud portal with your Cisco account.

5. Enter a name for your account and click Continue.

6. Confirm your account profile details and click Create Account.
   The Cisco DNA - Cloud portal home page is displayed.

Note: If you have multiple Cisco DNA - Cloud accounts, a pop-up window listing all your associated accounts is displayed. Choose an account and click Continue to launch the home page.

Subscribe to an Offer

1. In the Cisco DNA - Cloud portal home page, click Subscribe to Offer.
2. In the Set Up Your Subscription slide-in pane, from the Offer drop-down list, choose pxGrid Cloud.
3. From the Region drop-down list, choose US Region.
   Note: This release of Cisco pxGrid Cloud supports only the U.S. region.
4. Check the General Terms check box and click Subscribe Offer.
   The offers that you have subscribed to are displayed in the Cisco DNA - Cloud portal home page.
   If you want to delete an offer, select the offer and click Delete.

Note:

• Deleting a subscription removes the access of the accounts that are logged in to that offer. Hence, the logged-in users will no longer be able to register a device or perform any operation related to that offer.
• Deleting a subscription also impacts the products that are registered for that region.

Register Cisco ISE with Cisco pxGrid Cloud

Note: You must subscribe to an offer before registering Cisco ISE.

1. Navigate to pxgridcloud.cisco.com .

   

2. In the Cisco pxGrid Cloud portal home page, click Register Cisco ISE.

3. In the Register Cisco ISE slide-in pane, enter the Cisco ISE server name and description.

   • An OTP is generated. This OTP is valid for 30 minutes. For more information, see Cisco pxGrid Cloud and Cisco ISE Integration.
   • Enter the OTP in the Setup Connection window in Cisco ISE (under Administration > pxGrid Services > Client Management > pxGrid Cloud Connection).
   • Note: The pxGrid Cloud service must be enabled on one or two pxGrid nodes in the Cisco ISE deployment. For information on how to enable the pxGrid Cloud service, see Enable pxGrid Cloud Service in Cisco ISE.
   • The status of the Cisco ISE instance is displayed as Registered in the On-Prem Connections window after successful registration.

Onboard Cisco ISE with Cisco pxGrid Cloud

Open another browser tab to onboard Cisco ISE to pxGrid Cloud.

1. Open the ISE dashboard.

2. From the ISE dashboard, navigate to Administration > System > Deployment and select your ISE instance.

3. Check the box to Enable pxGrid Cloud.

   

4. Navigate to Administration > pxGrid Services > Client Management > pxGrid Cloud Policy and select ALL the listed services.

   

5. Enable ERS APIs with Read/Write permissions.

   

6. Enable Open APIs with Read/Write permissions.

   

7. Click Save.

8. Navigate to Administration > pxGrid Services > Client Management > pxGrid Cloud Connection.
   Notice the status of the connection will show as Setup Connection.

   

9. Click Setup Connection to begin onboarding ISE to pxGrid Cloud.

10. At the resulting prompt, paste in the copied token and then click Connect to continue.

11. You have now completed onboarding ISE to pxGrid Cloud.

Solution Workflow < Connect Cisco ISE and Cisco pxGrid > Enable Cisco Security Cloud Exchange