Firepower 6.0 pxGrid Integration with ISE - Self-signed Certificates

I'm going to go through the configuration of Firepower v6.0.x for pxGrid integration with ISE using self-signed certificates. We went through the configuration of Firepower with CA-signed certificates in a previous post and you'll see that the configuration is very similar to that in this post. 

In the Firepower Management Center (FMC), navigate to Objects>Object Management>PKI>Internal CAs and click the Generate CA button and provide the certificate information.

 

Click on the pencil icon and download the certificate.

At this point, it will ask you to give it a password. I used cisco123 and downloaded the certificate. 

Rename the p12 file and copy it to the FMC using WinSCP.

SSH to the SMC and convert the P12 file into CER and KEY files using the following commands:

sudo openssl pkcs12 -nokeys -clcerts -in fmc2.p12 -out fmc2.cer

sudo openssl pkcs12 -nocerts -in fmc2.p12 -out fmc2.key

Enter the encryption password used before.

Use WinSCP to move the CER and KEY files off the FMC. 

In ISE, navigate to Administration>System>Certificates>Trusted Certificates and import the FMC cer file.

 

Navigate to Administration>System>Certificates>System Certificates, check the box next to the ISE self-signed certificate and click Export. Export both the certificate and the private key. It will download as a zip file. Unzip it and change the name of the cert to something human readable. 

 

 

 

In the FMC, navigate to Object>Object Management>PKI>Trusted CAs and click on the Add Trusted CAs button. Add the ISE trusted cert and use the encryption key that you configured for it. 

Navigate to Object>Object Management>PKI>Internal Certs and click on the Add Internal Cert button. Add the Firepower cer and key files. 

Delete the bag attributes.

And the <no> at the end.

Be sure to enter the encryption password and click Ok.

Navigate to System>Integration>Identity Sources and click the Identity Services Engine button.

Fill in the ISE IP address and user the previously uploaded ISE cert for the first two CA fields. For the third one, use the previously created FMC2 cert and click Save

In ISE, navigate to Administration>pxGrid Services to see your Firepower Management Center added. 

If you followed the above steps and this still did not work, check the following:

  • Check the network connectivity between the FMC and ISE (ping from the CLI, etc)
  • If you're using ISE 2.0 or below, you will need to click Enable Auto-Registration instead on the Administration>pxGrid Services>Clients page
  • Make sure that the pxGrid Persona is enabled on the ISE client you are using
  • Make sure that there are no Pending Approvals under Administration>pxGrid Services

The next thing we will configure is the Active Directory Realm in Firepower. Navigate to System>Integration>Realms and click New Realm.

In the Add New Realm pop-up, add the following:

  • Name of the Realm
  • (Optional) Description
  • Choose a type - AD or LDAP
  • Enter the AD primary domain
  • Add the username
  • Add the password
  • Base DN
  • Group DN 
  • Pick the Group Attribute - Member 

On the next page, click the Add Directory button and add the domain server.

Click the Test button to make sure you can connect to the AD server and then click Ok

Click on the User Download tab. On this tab, check the box next to Download users and groups and then click the Download Now button to download the AD groups.

Click Save to save the realm. 

You will be brought back to the Realms page. Make sure the State slider is enabled to enable this realm

Navigate to Policies>Access Control>Identity and click on New Policy. Name the new policy and click Ok. On the next page, click on Add Rule and create a Passive Authentication Policy as follows:

Click Add and save your identity policy. 

 

Now we will add our newly created Identity Policy to our Access Control Policy. Navigate to Policies>Access Control>Access Control and edit your policy. On the top, click on the link next to the Identity Policy and choose your new policy from the drop-down and click save.

Click on the Advanced tab and edit the Transport/Network Layer Preprocessor Settings and check the box next to Ignore the VLAN header when tracking connections and click Ok

Save you Access Control Policy.

To verify you are getting information about your hosts, navigate to Analysis>Users>User Activity and you should see information passed by ISE.

Now we are going to create a policy based on the ISE attributes. Navigate to Policies>Access Control>Access Control and edit your Policy. Click Add Rule and click on the ISE Attributes tab

Under this tab, we can create rules based on the following:

  • Security Group Tags
  • Device Type 
  • Location IP

In this rule, I'm going  block social media based on Domain Admin SGT:

After clicking OK, saving and deploying my policy, anyone with the Domain Admin SGT should be blocked from accessing social media.