Cisco ISE pxGrid integration with Firepower

Cisco ISE and Firepower can exchange attributes such as TrustSec SGT (Security Group Tag), endpoint profile information and IP address via pxGrid. These attributes can then be used in Firepower Access Control Policies to permit/deny access as required. In addition, this integration can also be used to quarantine users/hosts in the event the user performs a malicious activity. When Firepower detects the malicious activity this will match a correlation rule on the FMC, which instructs ISE to perform a remediation action such as sending a CoA (Change of Authorization) and quarantining the user by apply a DACL and/or applying a new SGT.

This post will describe how to configure the pxGrid integration between the FMC and ISE, it is assume that you already have a working ISE environment with users/computers authenticating using dot1x and a working Firepower FMC/FTD environment.

Refer to these previous ISE posts on how to configure ISE, dot1x authentication and more information about configuring TrustSec.

The following software versions were used:-

  • Firepower Management Centre 6.2.2.2
  • Firepower Threat Defence Virtual 6.2.2.2
  • Identity Services Engine 2.4
  • Windows Server 2008 R2 (Domain Controller and PKI)
  • Windows 7 Enterprise

Certificate Template

We will be using a Windows PKI environment to sign the certificates for pxGrid. A custom certificate must be created to ensure the Server Authentication and Client Authentication EKU are applied to the certificates in order for pxGrid to work correctly.

  • On a Windows Server/Computer, access the Certificate Templates Console
  • Select an existing Template such as User, right click and select Duplicate Template
  • Name the certificate appropriately e.g. pxGrid
  • Select the validity period e.g. 2 years
  • Click the Extensions tab
  • Select Application Policies, then Edit
  • Ensure Client Authentication AND Server Authentication is selected


  • Click Subject Name tab
  • Ensure Supply in the request is selected


  • Click the Security tab
  • Ensure you the administrator have rights to Enroll the certificate
  • Once complete click Ok to complete the configuration of the new Template
  • Open the Certificate Authority MMC
  • Right click Certificate Templates and select New > Certificate Template to Issue


  • From the list select the Template previous created for pxGrid


  • Click Ok

ISE Configuration

ISE pxGrid Configuration

  • Open the ISE WebGUI
  • Navigate to Administration > System > Deployment
  • Select the PSN that will act as the pxGrid node
  • Ensure the pxGrid role is selected


  • Navigate to Administration > PxGrid Services
  • Click Settings
  • Ensure Automatically approve new certificate-based accounts is selected

ISE Certificate Request/Signing

  • On the ISE WebGUI, navigate to Administration > System > Certificates > Certificate Management > Certificate Signing Requests
  • Click Generate Certificate Signing Requests (CSR)
  • From the Usage drop-down list, select pxGrid
  • From the list select a node
  • Complete the subject values and add a SAN if required
  • Click Generate once complete
  • Save the file to disk
  • From a Windows computer open the Certificate Authority Web Enrollment page e.g. https://servername/certsrv/
  • Click Request a certificate
  • Click Or submit an advanced certificate request
  • Open the ISE pxGrid CSR file and copy the CSR request, paste this output in the Saved Request box


  • From the Certificate Template drop-down list select the pxGrid Template created in the previous section
  • Click Submit
  • Select Base 64 encoded
  • Click Download certificate
  • On the ISE WebGUI, navigate to Administration > System > Certificates > Certificate Management > Certificate Signing Requests
  • Click Bind Certificate
  • Click Browse and select the certificate just signed by the CA
  • Ensure Usage is pxGrid

  • Click Submit
  • Navigate to Administration > System > Certificates > Certificate Management >System Certificates
  • Ensure the new certificate has been assigned to the pxGrid role


TrustSec Security Groups

  • Navigate to Work Centers > TrustSec > Components > Security Groups
  • Click Add
  • Create a new Security Group and name appropriately e.g. HQ_Users


  • Navigate to Policy Sets
  • Select your dot1x Policy Set
  • Modify an Authorization Policy and select the Security Group previously added


  • Click Save

The ISE configuration is now complete.

Firepower Configuration

Firepower Certificate Request/Signing

  • Login to the CLI of the FMC
  • Enter the command openssl genrsa –out FMC.key 2048 to generate a private key


  • Enter the command openssl req –new –key FMC.key –out FMC.csr to generate the CSR
  • Fill in the appropriate Country Code, State, Locality, Organisation Name and Common Name when prompted


The files need to be copied of the box in order for the CSR to be processed. You can use SCP from the FMC; you will need an SCP server such as SolarWinds SFTP/SCP Server running on a computer.

  • Enter the command scp –r FMC.csr username@ipaddress:/ in order to copy the .csr file, repeat for the .key file


  • From a Windows computer open the Certificate Authority Web Enrollment page e.g. https://servername/certsrv/
  • Click Request a certificate
  • Click Or submit an advanced certificate request
  • Open the FMC.csr file and copy the CSR request, paste this output in the Saved Request box


  • From the Certificate Template drop-down list select the pxGrid Template created in the previous section
  • Click Submit
  • Select Base 64 encoded
  • Click Download certificate


  • Click Home (top right)
  • Click Download a CA certificate, certificate chain or CRL
  • Select Base 64
  • Select Download CA certificate and save to the local computer

Import Certificate to FMC

  • Navigate to Objects > Object Management > PKI
  • Select Trusted CAs
  • Click Add Trusted CA
  • Name the Root CA appropriately
  • Click Browse
  • Select the Root CA file previously downloaded
  • Click Save


  • Click Internal Certs
  • Click Add Internal Cert
  • Name the certificate appropriately
  • Click Browse to upload the signed certificate
  • Click Browse (key or, choose a file:) and select the FMC.key file created in the previous section


Firepower ISE Integration

  • Navigate to System > Integration > Identity Sources
  • Select Identity Services Engine
  • Enter the Primary Hostname/IP address of the pxGrid PSN

NOTE – if using the FQDN of the PSN, ensure that the FMC can resolve the hostname.

  • If you are running a secondary pxGrid PSN enter this or leave blank
  • From the drop-down list select the pxGrid Server CA (as previously defined as the Root CA)
  • From the drop-down list select the MNT Server CA
  • From the drop-down list select the FMC Server Certificate


  • Click Test


  • Click Save
  • Navigate to Policies > Access Control > Access Control
  • Modify your ACP
  • Create a new rule at or near the top of the rule
  • Select the SGT/ISE Attributes tab
  • Click Security Group Tag
  • Select your SGT e.g. HQ_Users and Add to Rule


  • Click Save
  • Ensure this new rule will be match before another permit rule that would normally be used for allowing outbound traffic


  • Click Save
  • Deploy policy to FTD

Testing and Verification

  • Login to the CLI of the FTD
  • Run the command show access-control-config


You will be able to identify the rules as defined in the ACP via the FMC. In this instance the rule called HQ Users SGT, this identifies the Security Group Tag as [45:2002]. 45 is the unique SGT that FMC stores in its local database and FTD shares, but the actual SGT defined on ISE is 2002. FMC does not propagate the real SGT to the FTD sensors, but uses an unique ID.

  • Login as a user to a test computer and ensure that the HQ_Users SGT is successfully applied
  • Check the ISE Live Logs to confirm the correct authorization rule was matched


  • From the CLI of the FTD run the command system support firewall-engine-debug
  • Specify the IP protocol e.g. tcp
  • Specify the client IP address < this would be the client IP address that user1 in this example
  • Do not specify a server IP address or server port
  • On a client computer generate some traffic by opening a web page on the internet


From the output on the FTD CLI you will identify that this traffic matched the correct rule HQ Users SGT, the correct SGT id was matched and the action was allow. Remember the Firepower SGT ID is 45, this maps to the real ISE SGT ID of 2002.

You can also check the Snort user_identity file to confirm the SGT mappings

  • Enter expert mode, run the command expert
  • Run the command cd /var/sf/detection_engines/instance-x
  • Run the command sudo cat user_identity.dump


You can see from the output the mapping of IP address 192.168.11.101 to SGT ID of 45.

If a user logs in without an SGT or with a different SGT and attempts to access the internet, it would not match rule 1 (HQ Users SGT) and be permitted as per rule 2 (Allow Outbound) in our example, or denied if you specify that in your ruleset.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.