The pxGrid technology was out for a while so I did not expect to run into any major issues. I’ve followed this guide but was very confused about pxGrid integration into existing ISE deployment and making it work with FirePOWER. So I’ve created this post for references and maybe it will help others.
Cisco ISE: 2.4
Cisco FMC: 6.2
First, you need to join new pxGrid node to existing ISE deployment. Self-signed certificates were used to keep this deployment simple. I was pleasantly surprised that manual self-signed certificate exchange no longer necessary when you register new instance. After entering IP address, local admin username and password I was prompted to trust/import self-signed certificate from pxGrid node.
Next, select the pxGrid role and complete join process.
Once joining completed I checked under Administration > pxGrid Services and all was looking good. Nothing else needed to be done.
I figured integration with ForePOWER Management Center (FMC) would be as easy. To start we need to generate several certificates on ISE by going to pxGrid Services > Certificates tab. With self-signed certificates process is simple and all the options are depicted below (CN is FMC FQDN and SAN is FMC IP).
Once you hit Create zip file will be generated and downloaded with the following contents (your list may differ depending on ISE deployment):
CertificateServicesEndpointSubCA-ise01_.cer >>PAN/MNT1 node CA certificate
CertificateServicesNodeCA-ise01_.cer >> PAN/MNT1 node certificate
CertificateServicesRootCA-ise02_.cer >> PAN/MNT2 node certificate
firepower.company.com_10.10.10.200.cer >> Certificate to be imported into FMC
firepower.company.com_10.10.10.200.key >> Key to be imported to FMC
Company*CertificateAuthority_.cer >> Your company sub certificate signed by root
Company*RootCA_.cer >> Your company root certificate
So far so good. Now you need to import these certificates into FMC to allow communication with ISE. This is done under System > Integration > Identity Sources > Identity Services Engine.
Since I have these values populated I’ll review what I had to do to make it work.
Primary Host – IP address of ISE pxGrid node (ex. 10.10.10.80). If you have backup pxGrid node add it as secondary.
pxGrid Server CA – Since we use self-signed certificates this will be the certificate from pxGrid node itself. For some reason, it did not make it to the zip file so we will need to export it manually from ISE node > System > Certificates > expand pxGrid node and export certificate.
When adding certificate use meaningful names for easy troubleshooting.
MNT Server CA – this one had me puzzled for a bit. Finally, I figured out this is Root CA that signed certificate assigned to pxGrid role on MNT. So which one is it if we have Primary / Secondary MNT and use self-signed certificates? Keep in mind MNT role can change so we need to validate both Primary and Secondary MNT.
By comparing certificate chain of each certificate I found that in my case they are signed by ise02 self-signed certificate. This is the certificate I need to use (file CertificateServicesRootCA-ise02_.cer).
Finally FMC Server Certificate – consists of certificate and a key (firepower.company.com_10.10.10.200.cer and firepower.company.com_10.10.10.200.key). During import, you will need password used on ISE when zip bundle was generated.
Once all fields are populated hit Test to test connectivity.
If Automatically approve new certificate-based accounts option not checked on ISE then you will get this error:
…timed out trying to form connection to ISE server.
Unable to connect to ISE server at host:
Connection to ISE server failed because of time out
At this point we just need to approve new client on ISE under pxGrid Services > All Clients (status Pending).
Select the client and Approve.
Run another test from FMC and it should complete successfully.
On ISE under pxGrid Services you can check All Clients or Live Log to confirm there are no errors.