When configuring ISE Pxgrid integration with Active Directory, there are certain audit settings and permissions that need to be set in order to allow the information to pass to ISE. If you've ever configured Cisco Context Directory Agent, you're about to receive a blast from the past. This is because the settings and permissions are exactly the same.
This is where we're going to create our group policy to push down to our clients. The idea of pushing the settings down to users via GPO is to make security mandatory but also try to make it as transparent to a user as possible. Little things such as pushing the dot1x SSID information and enabling the users to auto-connect to the SSID when in range goes a long way to user experience. Likewise, having your users automatically be enrolled with a user certificate and their NIC card settings automatically configured increases the transparency of ISE from a user perspective. Ideally, the users should never know ISE is there authenticating and authorizing their corporate computers and acting as the gatekeeper between them and the rest of the network UNLESS a policy is violated somehow.
Certificate Templates will play a big role in ISE and Pxgrid integration in our lab and most likely in any production rollout of ISE. While recent versions of ISE do support using ISE as a certificate authority, most implementations of ISE that I've seen implemented leverage an Active Directory Certificate Authority. In later blog posts, I might end up going through a lot of these same steps using the ISE CA instead but I'd rather cover what's going to be used in the majority of implementations first.
If you're implementing any of this in production, you probably have a domain controller and Certificate Authority in place already. Depending on what you plan on using ISE for though, there are settings that you might need to adjust. Since this is a lab environment that I'm setting up, I'm going to make an assumption that you might be setting up a lab as well and walk you through some of the things I do as I'm setting it up.
At this point, we've added our roles, created Certificate Templates, pushed out a GPO, and laid the groundwork for Pxgrid Identity Mapping. This is the point where I finish up with some last minute housekeeping items and run a couple of tests.