Cisco ISE pxgrid integration with FMC

Cisco ISE maintains rich information about network users which can be shared with various products via Pxgrid integration. The pxgrid integration is supported for Cisco and non-Cisco products. One of the use case is to create security policies on network firewall based on user/group instead of IP based rules. Latest version of pxgrid is 3.0 which is supported from ISE 3.3 version. For this post we have used ISE 3.3 and FMC 7.4.1.

When a user tries to connects on network switch, wireless controller the first thing which can happen is authentication of these users against a Radius server. Cisco ISE can act as a Radius server and can authenticate users with the help of various protocol like MAB, 802.1x. Check previous post on radius authentication using ISE. Now as ISE is acting as gatekeeper and it know who is in the network and what IP address they carry, sharing this information can be give lot of advantage to other security products.

The integration of ISE and FMC via Pxgrid happens with the help of certificates. ISE authenticate itself to FMC via certificate and vice-versa.

Step 1> Find out pxgrid node under ISE deployment, In this example we have taken three node deployment, ise-pxgrid is the node which have pxgrid service enabled.

ise node deployment

Step 2> Navigate to Administration > System > Certificates and check the pxgrid certificate of the pxgrid node. The certificate used for pxgrid will have pxGrid under “Used By“, Select the certificate and click on View.

pxgrid node pxgrid certificate

certificate view

Step 3> Navigate to Administration > System > Certificates and check the pxgrid certificate of the MNT nodes. The certificate used for pxgrid will have pxGrid under “Used By“, Select the certificate and click on View.

mnt node pxgrid certificate

certificate view

Step 4> Now we have checked the root CA certificate of the pxgrid certificate of px-grid, mnt nodes it is the same for both nodes in this example.

We need to export the Root CA certificate of the pxgrid certificate. The root can be find out either under “Trusted Certificate” if the certificate is signed by internal CA or 3rd party. If the certificate is singed by ISE internal CA then the root ca can be found under Certificate Authority Certificates tab. For this example we are using internal CA signed certificate

internal root ca certificate export

Select the certificate and click on Export. Certificate used on ISE for pxgrid is below.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            09:0c:5e:c1:f8:ae:45:dc:aa:7a:a9:44:38:30:1b:60
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: CN = Certificate Services Root CA - ise-admin
        Validity
            Not Before: Dec 24 15:56:58 2023 GMT
            Not After : Dec 25 15:56:58 2033 GMT
        Subject: CN = Certificate Services Root CA - ise-admin
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:df:30:d6:7d:83:f1:48:16:5d:4d:ec:85:0a:cc:
                    36:e7:79:72:14:cb:52:8c:2a:41:22:5d:52:a2:41:
                    06:9b:10:21:2a:03:5d:94:67:65:e7:1b:a7:f1:d3:
                    3a:93:c6:8d:23:79:98:55:36:56:b7:cd:f5:0f:55:
                    d4:75:29:ae:2d:37:71:c0:eb:5a:8c:63:b2:d7:25:
                    dd:d7:a4:ef:6f:47:42:f5:4b:f9:3b:b2:16:01:42:
                    63:6d:dd:65:f3:86:69:25:e1:87:1b:74:74:1f:68:
                    a9:01:3e:76:de:83:32:18:a8:8f:07:6a:f3:19:2f:
                    44:1f:40:6a:f1:f5:bb:24:f0:96:6d:8b:ed:27:29:
                    f5:31:ca:55:57:32:92:d7:e1:aa:9e:da:41:80:49:
                    37:8e:ce:30:2e:36:f8:9b:98:c8:00:68:fd:3a:f4:
                    fe:c3:13:50:46:57:44:e3:de:39:85:bc:dc:50:e1:
                    9c:cb:7b:70:82:16:23:23:92:93:1b:db:04:2b:71:
                    2f:17:1a:1a:bd:78:81:24:59:b6:b6:80:90:ae:db:
                    db:6a:08:11:cc:bd:45:5a:ef:2c:5a:c2:b1:da:3a:
                    10:11:30:14:26:86:fd:0d:4d:b6:40:df:b7:09:e3:
                    da:99:79:e5:54:25:3a:7b:52:55:a0:bd:a7:11:7d:
                    66:cd:e5:1a:74:d5:1c:64:d4:f9:06:a2:20:c9:95:
                    9a:df:96:2d:87:d0:4f:7c:25:0f:f4:4b:17:64:61:
                    c1:ed:79:c1:f9:d4:36:3a:71:17:f0:20:cf:ab:73:
                    83:6c:22:a3:79:9a:44:b4:fd:56:88:76:e6:80:c0:
                    7c:c2:06:d0:a9:b4:8a:0b:49:a5:56:5d:5b:d8:1c:
                    58:19:bb:75:17:e6:5c:f6:4e:79:d0:6a:dc:4a:69:
                    ba:cf:a1:68:1b:3e:cf:2d:60:b6:cc:c2:fa:67:87:
                    6b:bf:7b:29:4b:e4:e9:ab:96:70:f9:08:6d:1f:e7:
                    c0:a5:67:c5:67:88:3b:2d:7c:2d:f3:6b:df:4b:99:
                    73:e2:fd:7b:98:00:53:09:d5:d2:71:2f:21:f9:48:
                    2e:3c:17:a4:43:a5:41:2a:ed:7c:05:f4:bc:e3:08:
                    41:72:4a:4f:27:61:aa:05:36:8d:69:b3:a3:b5:20:
                    27:fd:a4:9e:11:d6:4e:3c:1f:2d:69:0c:e0:aa:e1:
                    5d:cc:59:a2:84:b6:e6:8c:d8:01:85:6f:dd:a1:7d:
                    4c:c0:21:25:3b:6c:fe:d0:c5:db:c3:5e:5f:44:ca:
                    df:c5:49:31:78:78:7f:7a:9f:e8:d8:b0:a9:67:db:
                    da:04:81:83:42:93:51:50:72:4c:08:9b:62:ed:ac:
                    18:2a:23
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FD:D7:71:8F:92:08:72:3F:49:A0:73:AB:B3:4C:35:E0:1A:2B:9A:11
            X509v3 Key Usage: critical
                Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        97:c8:e0:ae:33:b1:93:88:88:da:5b:59:98:b7:fb:7b:67:21:
        bf:1f:ce:c4:8c:a3:f7:9b:3c:93:51:ff:c9:dd:11:e9:8f:fc:
        d2:17:ac:ca:1f:7c:1d:56:bc:19:99:ec:b9:29:5e:ed:7e:e4:
        08:22:ca:56:da:67:e0:8a:23:57:1d:26:c5:4a:e3:9b:37:d2:
        3d:ac:4b:ac:a3:78:8b:5a:5c:df:3c:e6:61:af:21:61:ee:fa:
        0e:01:42:ed:a2:90:7c:af:17:89:51:87:9d:74:bd:67:27:d0:
        54:05:36:73:2e:9f:a1:01:46:7c:b1:89:f4:4e:7e:2f:f7:34:
        94:a9:5f:9c:d5:c0:da:13:bc:e9:0d:27:bf:3f:61:5f:02:81:
        e8:f0:16:53:fc:f5:82:0e:8c:dd:8a:98:48:e5:19:62:7c:20:
        b7:b4:7d:1b:54:61:20:89:30:86:77:f5:8c:fd:6a:ef:31:d5:
        d6:14:3d:cb:ce:8b:44:ed:40:9a:9e:eb:d0:05:77:1e:81:2e:
        c6:ca:b8:7e:04:9b:aa:c7:6a:bd:79:9a:b8:e5:48:dc:cb:23:
        2b:dd:24:e0:95:5c:a7:37:32:e6:20:d8:9f:9b:4f:ca:00:4f:
        14:7a:57:4e:1c:36:a5:0d:72:72:e9:62:59:fe:08:04:a3:54:
        6b:89:d6:e9:82:9b:f1:dc:91:12:26:5b:0d:1f:db:56:f9:11:
        78:b0:a6:82:13:b5:5a:1e:4d:2b:0c:85:db:c3:77:00:48:e2:
        a0:10:43:86:05:7d:0f:7a:9e:7b:ad:11:aa:10:73:27:5b:75:
        da:60:90:61:c2:b8:17:62:8d:e4:cb:56:e5:cb:79:75:ad:54:
        55:3c:2f:6a:db:52:9c:84:00:01:64:4e:59:fe:a3:74:c1:37:
        f1:04:1b:90:7c:de:62:02:cb:fc:89:f2:0a:5f:f2:bb:66:5d:
        2d:0a:12:b2:4f:3a:00:82:e8:68:39:01:bc:5d:cf:3d:53:95:
        be:e0:b7:61:55:c2:d0:4b:c0:d3:85:65:98:d1:a9:b0:a4:ce:
        7d:a5:d8:a6:fb:6c:c9:65:53:81:d5:cb:1f:da:e9:27:49:9c:
        e4:a2:76:27:bb:35:0f:74:8d:39:0b:60:e9:15:40:6a:8f:82:
        df:8d:95:cf:da:57:58:13:5b:60:8f:c3:c0:89:44:0d:60:82:
        32:fc:87:e2:ba:61:b3:35:47:df:aa:47:5a:14:f0:f6:8f:2f:
        d3:a4:f9:5d:dd:be:d0:90:9c:7d:ba:d3:a4:93:9f:a3:c1:02:
        56:b7:a9:0e:aa:27:34:5f:67:48:91:9f:c7:5e:76:69:7e:01:
        81:5d:74:41:57:4f:24:c9

Step 5> Generate a certificate for FMC:

Now FMC also need a certificate for itself to authenticate itself to ISE. Either certificate can be generated from ISE or it can be obtained from Internal CA.

Option: To Generate certificate from ISE:

ise client pxgrid certificate generate

In this post we are going to use internal CA signed pxgrid certificate on FMC. Below is the certificate used on FMC.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2b:de:97:a0:fc:80:4f:19:a2:dc:c3:78:bb:c7:8d:ba
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Certificate Services Endpoint Sub CA - ise-admin
        Validity
            Not Before: Dec 26 05:59:33 2023 GMT
            Not After : Dec 26 05:59:33 2025 GMT
        Subject: CN = fmc-1.clicksolution.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ac:61:5c:c2:22:f5:91:3a:a8:68:a7:7b:78:62:
                    09:cd:b1:02:61:22:1a:3e:cf:63:a1:0f:40:63:5f:
                    c8:e8:18:2b:8e:86:95:b2:e2:4f:54:3e:44:81:ba:
                    e6:22:d0:28:ba:ca:4e:c7:9c:ca:61:e7:19:c3:9b:
                    43:e9:50:c6:41:15:5e:b6:4e:48:fa:dd:32:d0:a5:
                    17:be:b8:d7:4b:09:72:be:05:fc:b3:f0:8f:28:84:
                    33:e4:ae:df:24:c4:fa:f0:5f:90:ba:1d:69:ff:2b:
                    68:95:a6:71:14:a5:08:b7:eb:0e:de:1c:29:5b:dd:
                    2f:c7:a0:db:fe:57:3d:3b:35:16:78:06:27:ba:ef:
                    1d:a6:9e:3d:3e:86:0c:a7:4f:3e:e6:52:83:70:62:
                    52:e8:94:0e:3c:c5:64:49:40:b6:40:e1:84:16:78:
                    99:88:02:f7:57:80:42:cc:ee:42:0e:4b:78:a8:5a:
                    0e:22:fc:cc:ce:9c:73:42:ee:17:f3:d3:cc:a2:9b:
                    8a:1b:f4:ef:5e:e1:4f:0d:b8:36:5c:77:2e:4a:5b:
                    e8:d0:49:c8:28:29:c5:84:a2:30:77:45:78:2c:b6:
                    cb:16:ae:ee:47:92:6d:f5:bb:89:80:eb:cf:cd:6d:
                    8d:62:31:cc:57:08:07:be:53:79:ab:db:df:af:9f:
                    2a:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: critical
                DNS:fmc-1.clicksolution.org
            1.3.6.1.4.1.9.21.2.5:
                ..pxGrid_Certificate_Template
            X509v3 Authority Key Identifier:
                keyid:F4:BA:F9:59:2F:1D:F9:AF:BE:9F:41:62:DF:25:22:40:33:24:BE:89
                DirName:/CN=Certificate Services Node CA - ise-admin
                serial:5D:03:6C:0E:C3:D3:41:15:B9:D5:89:52:C5:D2:40:FE
            X509v3 Subject Key Identifier:
                83:7D:2A:FC:D4:FE:3E:A0:A5:F7:44:44:98:50:C5:58:7E:3F:F6:A0
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        b5:79:c0:88:f6:58:7e:99:59:85:73:4c:c1:ea:5c:ca:07:70:
        67:ce:9f:86:c7:9a:7e:d8:1a:d3:68:92:c6:0f:19:a4:40:7b:
        29:e7:88:36:4e:9a:16:e2:4a:fc:f9:d3:71:65:01:72:8a:c8:
        34:0f:ca:92:37:9c:4b:b3:b4:8b:ef:38:7d:aa:01:08:4e:3e:
        9d:0b:88:70:54:4c:7d:ad:c1:c2:ac:01:a1:31:40:dc:5e:d2:
        b9:f8:8d:b5:2a:c9:20:09:84:83:11:cc:52:9d:15:49:61:2c:
        10:63:d9:bc:f8:51:61:15:54:c2:22:4c:2e:cd:bc:9d:30:5a:
        83:ad:32:12:aa:40:fd:95:df:f3:7e:2e:aa:76:a0:ed:d9:c0:
        8b:65:42:be:8b:23:7a:e8:23:76:dc:5b:bc:32:e4:e8:64:88:
        8c:b4:5d:2d:9e:03:c8:f6:2d:23:6e:6a:95:82:de:82:b9:19:
        f3:56:40:4f:c2:90:82:86:b0:52:97:0e:9f:e4:87:80:ff:9e:
        50:1d:91:1b:ec:c7:3a:6c:a4:e5:38:e8:66:77:db:84:21:ae:
        89:c7:64:c0:54:ac:e2:1f:24:0d:7f:d7:66:8d:3a:86:82:44:
        cf:b8:1d:13:da:35:12:68:a0:f1:72:97:54:a2:57:c2:9e:b6:
        60:e9:92:c7:a0:c5:3b:7f:a5:02:ff:fd:85:75:a6:6d:1b:bc:
        ed:d1:d5:f3:33:33:3f:b0:df:0a:54:c4:dc:59:35:0f:56:81:
        3e:f5:0a:a1:11:8d:88:fe:27:f5:18:1f:9d:a4:7e:9b:93:05:
        76:0d:00:fe:e2:16:4f:75:67:ba:da:3f:98:4b:c9:7e:99:15:
        14:63:61:3b:ba:d1:7f:64:5e:93:b9:f8:72:2e:5d:dd:3d:e6:
        cd:91:5e:7c:f7:40:4b:17:cc:e4:4f:35:1f:15:b0:5a:5e:9d:
        30:ed:0c:f7:43:e1:8d:54:59:53:c5:62:1b:69:ba:1b:7f:a0:
        55:57:37:fe:66:e1:ee:22:85:3d:a7:29:45:cf:9a:b5:08:f4:
        e8:21:d0:cc:38:3a:4f:45:d7:44:12:bd:65:e8:89:8f:46:b3:
        6e:f6:3a:51:1f:63:63:93:7d:82:f5:93:5f:65:fa:1e:81:bb:
        de:7f:a0:9b:52:e3:61:8e:e3:75:40:8f:a5:e5:63:7c:71:78:
        b9:2f:c5:b0:c8:16:69:2a:22:a4:3d:00:9c:15:66:3b:5c:f7:
        7a:be:a1:47:4f:f9:81:09:4d:b3:61:28:04:e1:f6:99:b6:e9:
        ec:17:e7:bc:da:22:98:d0:03:cf:90:59:cb:20:e5:97:02:0e:
        4a:ba:13:20:73:a2:6d:6a

Step 6> Enable automatic approval of account. This step is optional, it can be done manually.

automatically approve certificate.

Step 7> Import the root CA of ISE pxgrid on FMC trusted certificate.

fmc pxgrid root certificate import

Step 8> Import MNT pxgrid certificate root CA certificate on FMC. In this example we are using ISE internal root ca certificate so pxgrid certificate of all nodes will be signed from same root CA. So no need to import again.

Step 9> Import FMC certificate generated in previous step:

fmc pxgrid certificate import

Step 10> Ensure FMC is able to perform forward and reverse lookup of ISE FQDN, IP address. Navigate to Integration > Identity Sources, Enter the details as shown in the screenshot. Save the configuration and click on Test.

fmc configuration

FMC test

Step 11> Navigate to Cisco ISE Administration > pxGrid Services > Client management > Client. FMC will be shown as enabled.

Cisco ISE pxgrid integration

With above steps we have successfully done integration of Cisco ISE using pxgrid with FMC.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.