web security appliance and identity services engine ... · the external restful api service (ers)...
TRANSCRIPT
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 33
Web Security Appliance and Identity Services Engine Integration
Guide
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 33
Contents
About this document ............................................................................................................................................... 3
Prerequisites ............................................................................................................................................................ 4
Enable pxGrid on ISE .............................................................................................................................................. 4
Enabling ERS (ISE) .................................................................................................................................................. 6
Joining the domain (ISE) ......................................................................................................................................... 7
CA-signed certificates ............................................................................................................................................. 9
Creating the pxGrid certificate template (AD) ....................................................................................................... 9
Import trusted root certificate (ISE)...................................................................................................................... 13
Import trusted root certificate (WSA) ................................................................................................................... 14
pxGrid certificate creation (ISE) ........................................................................................................................... 14
ERS certificate creation (ISE) ............................................................................................................................... 17
pxGrid certificate creation (WSA) ......................................................................................................................... 17
Configure ERS on WSA and test connectivity .................................................................................................... 20
Self-signed certificates .......................................................................................................................................... 22
pxGrid certificate creation (WSA) ......................................................................................................................... 22
Testing connectivity to pxGrid and ERS .............................................................................................................. 23
WSA policy configuration ..................................................................................................................................... 24
Identification profile ............................................................................................................................................... 25
Decryption policy ................................................................................................................................................... 25
Access policy ......................................................................................................................................................... 27
Verification ............................................................................................................................................................. 30
Conclusion ............................................................................................................................................................. 33
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 33
About this document
This document is for Cisco engineers and customers who will deploy the Cisco® Identity Services Engine (ISE) and
Cisco Web Security Appliance (WSA) in their environments and wish to integrate the two solutions. ISE provides
authentication, authorization, and accounting services for domain, local, and guest users and serves as an
important source of information regarding the active users and devices in an environment. Enhancements to the
WSA allow administrators to further leverage this information to enrich their policy configuration and enforcement.
This document covers:
● ISE domain configuration
● Deployment using certificates signed by a certificate authority
● Deployment using self-signed certificates
● WSA policy configuration using security group tags and ISE group information
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 33
Prerequisites
Before beginning with this guide, a few basic configuration steps must be completed on the WSA as well as on the
ISE. Basic network settings must be in place on both appliances (IP address, gateway, Domain Name System
[DNS] and Network Time Protocol [NTP] servers), as well as any required licenses installed. The System Setup
Wizard should be completed on the WSA, and all available patches should be installed on ISE. The HTTPS proxy
should also be enabled and configured on the WSA in order to complete the steps that involve decryption policies.
The versions used in this guide are as follows:
WSA: 11.7.0
ISE: 2.4.0.357 Patch 4
Windows Server: 2016 Standard
Enable pxGrid on ISE
The ISE Platform Exchange Grid (pxGrid) service is disabled by default. To enable this service, navigate to
Administration > Deployment. Select the desired ISE node and click Edit. Check the box next to pxGrid and
click Save.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 33
The status of the pxGrid service can be checked using the show app status ise Command-Line Interface (CLI)
command:
ise/admin# show app status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 14838
Database Server running 67 PROCESSES
Application Server running 20663
Profiler Database running 16320
ISE Indexing Engine running 23291
AD Connector running 24386
M&T Session Database running 16130
M&T Log Collector running 20943
M&T Log Processor running 20840
Certificate Authority Service running 24136
EST Service running 4772
SXP Engine Service disabled
Docker Daemon running 17044
TC-NAC Service disabled
Wifi Setup Helper Container disabled
pxGrid Infrastructure Service running 6297
pxGrid Publisher Subscriber Service running 6496
pxGrid Connection Manager running 6453
pxGrid Controller running 6532
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE RabbitMQ Container running 17497
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 33
Enabling ERS (ISE)
The External RESTful API Service (ERS) is an API that can be queried by the WSA for group information. The
ERS service is disabled by default on ISE. Once it is enabled, clients may query the API if they authenticate as
members of the ERS Admin group on the ISE node. To enable the service on ISE and add an account to the
correct group, follow these steps:
1. Navigate to Administration > System > Settings.
2. On the left pane, click ERS Settings.
3. Select the option Enable ERS for Read/Write.
4. Click Save and confirm with OK.
5. Navigate to Administration > System > Admin Access.
6. In the left pane, expand Administrators and click Admin Users.
7. Click Add and select Admin User from the drop-down.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 33
8. Enter a username and password in the appropriate fields.
9. In the Admin Groups field, use the drop-down to select ERS Admin.
10. Click Submit.
Joining the domain (ISE)
ISE will need to be domain joined in order to authenticate users and provide group information to the WSA. Follow
these steps to join the domain and add groups:
1. Navigate to Administrator > Identity Management > External Identity Groups.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 33
2. In the left pane, click on Active Directory, and in the center pane, click Add.
3. Provide a name for the join point and the domain to be joined.
4. Confirm and provide credentials with permission to join the domain.
5. Verify that the domain is shown as Operational.
6. Navigate to the Groups tab and click Add > Select Groups From Directory.
7. Provide a filter for the desired group and click Retrieve Groups.
8. Check the box next to the desired group and click OK.
9. Click Save.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 33
CA-signed certificates
Certificates are central to all communication between the WSA and ISE. The pxGrid service is mutually
authenticated using both a client and server certificate, and the ERS service is authenticated using a server
certificate. In most cases, an administrator will have certificate authority in their local domain that is integrated with
Active Directory (AD). This section will provide steps for configuring the required certificate template for pxGrid in
Windows Server 2016, as well as generating and signing the certificate signing requests.
Note: If the intention is to use the built-in certificate authority provided by the ISE node, the administrator should
proceed to the next section.
Creating the pxGrid certificate template (AD)
A template must be specified when issuing a certificate from a certificate authority. The template to be used in
signing the pxGrid certificates must include both Client Authentication and Server Authentication key usage
parameters. The simplest way to create a template with the required parameters is to copy the built-in User
template and alter the properties to fit the requirements of pxGrid. To do this using Active Directory certificate
authority, follow these steps:
1. Using the Certificate Authority snap-in, click on Certificate Templates.
2. In the center pane, right-click and select Manage.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 33
3. In the center pane, right-click on the User template and click Duplicate Template.
4. In the General tab, change the name to pxGrid or any other unique name.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 33
5. On the Request Handling tab, uncheck Allow public key to be exported.
6. On the Extensions tab, click on Application Policies and click on Edit.
7. Click Add and add Server Authentication to the list of policies.
8. Remove any other application policies except for Server Authentication and Client Authentication.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 33
9. On the Subject Name tab, select Supply in the request.
10. Save and close the template.
11. In the Certificate Templates snap-in, right-click and select New > Certificate Template to Issue.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 33
12. Click the new pxGrid template and click OK.
To sign the Certificate Signing Request (CSR) with the new template, save the CSR in a directory that is
accessible by the signing server and use the certreq.exe utility to sign it and save the resulting certificate. In
the following example, the CSR is located at Z:\Certs\isepxGrid.csr:
certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\isepxGrid.csr
Import trusted root certificate (ISE)
The root certificate and any intermediate certificates must also be trusted by ISE in order to complete the trust
chain. Follow these steps to install the root Certificate Authority (CA) certificate in the ISE Trusted Root Authorities
Store:
1. Navigate to Administration > System > Certificates.
2. In the left pane, click Trusted Certificates.
3. In the center pane, click Import.
4. Click Browse to locate the CA certificate file in PEM format.
5. Optionally enter a Friendly Name to identify the certificate.
6. Ensure that both Trust for authentication with ISE and Trust for client authentication and Syslog are
checked.
7. Click Submit.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 33
Import trusted root certificate (WSA)
If the integration design uses an internal certificate authority as the root of trust for the connection between the
WSA and ISE, than this root certificate must be installed on both appliances. Follow these steps to install the root
CA certificate in the WSA Trusted Root Authorities Store:
1. Navigate to Network > Certificate Management > Manage Trusted Root Certificates.
2. Click on Import.
3. Use Browse to locate the certificate (in PEM format) and click Submit.
Note: If any intermediate certificates are present between the root CA and the certificates issued to clients, they
must also be uploaded here.
4. Submit and Commit changes.
pxGrid certificate creation (ISE)
The pxGrid service utilizes client-side certificates for mutual authentication. Next, the client-side certificates will
need to be generated and signed by the root CA. To generate the key pair and certificate signing request on ISE,
follow these steps:
1. Navigate to Administration > System > Certificates.
2. In the left pane, click on Certificate Signing Requests.
3. In the center pane, click on Generate Certificate Signing Requests (CSR).
4. In the Usage section, use the drop-down menu to select pxGrid.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 33
5. In the Node(s) section, select the desired ISE node for pxGrid services.
6. Complete the certificate fields as required and select the desired key length.
7. Click Generate and Export.
To sign the CSR with the pxGrid template, save the CSR in a directory that is accessible by the signing server
and use the certreq.exe utility to sign it and save the resulting certificate. In the following example, the CSR is
located at Z:\Certs\isepxGrid.csr:
certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\isepxGrid.csr
Follow the resulting prompts to save the certificate. To bind the certificate to the CSR in ISE, follow
these steps:
1. Navigate to Administration > System > Certificates.
2. In the left pane, click on Certificate Signing Requests.
3. Select the CSR that was generated previously and click Bind Certificate.
4. Use Choose Certificate to locate the certificate file.
5. Optionally provide a Friendly Name.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 33
6. Ensure that the Usage section specifies pxGrid.
7. Click Submit.
At this point, ISE should be using the CA-signed certificate for pxGrid communication. This can be confirmed by
navigating to Administration > System > Certificates and clicking on System Certificates in the left pane.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 33
ERS certificate creation (ISE)
The ERS service is accessed over a Transport Layer Security (TLS) tunnel and is authenticated with a server-side
certificate. The ISE node will use the same Admin certificate that is used for its web management interface for
ERS. This certificate must also be trusted by the WSA. The process for generating this certificate is the same as
that documented in the previous section, with two important differences. The first difference is that Admin should
be selected in the Usage section.
The second difference is that the CSR should be signed using the built-in WebServer certificate template in
Windows Server:
certreq.exe -submit -attrib certificatetemplate:webserver Z:\Certs\iseAdmin.csr
pxGrid certificate creation (WSA)
In the WSA, the creation of the key pair and certificate for use by pxGrid is completed as part of the ISE services
configuration. To complete the configuration, follow these steps:
1. Navigate to Network > Identity Services Engine.
2. Click Enable and Edit Settings.
3. Enter the ISE server name in the Primary ISE pxGrid Node field.
4. Click Choose File in the ISE pxGrid Node Certificate section.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 33
5. Locate the root CA certificate in PEM format and click Upload.
Note: A common misconfiguration is to upload the ISE pxGrid certificate in this section. The root CA certificate
must be uploaded to the ISE pxGrid Node Certificate field.
Note: In WSA 11.7, all references to the monitoring node have been removed from the ISE settings page. Any
previous references have also been removed from the CLI.
6. You may optionally configure a secondary pxGrid node on this page.
7. In the WSA Client Certificate section, select Use Generated Certificate and Key.
8. Click Generate New Certificate and Key and complete the required certificate fields.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 33
9. Click Download Certificate Signing Request.
Note: At this point, it is a good idea to use the Submit button to commit the changes to the ISE configuration. If
the session is left to timeout before the changes are submitted, the keys and certificate that were generated will
be lost, even if the CSR was downloaded. Note that a Commit is not required, only a Submit.
To sign the CSR with the new template, save the CSR in a directory that is accessible by the signing server and
use the certreq.exe utility to sign it and save the resulting certificate. In the following example, the CSR is located
at Z:\Certs\wsapxGrid.csr:
certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\wsapxGrid.csr
Follow the resulting prompts to save the certificate. To bind the certificate to the CSR in the WSA, follow these
steps:
1. Navigate to Network > Identity Services Engine.
2. Click Edit Settings.
3. In the WSA Client Certificate section, use the Choose File option to locate the file in PEM format.
4. Click Upload File.
5. Submit and Commit.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 33
At this point, the WSA should be attempting to communicate with ISE over pxGrid. With default settings, pxGrid
clients must be manually approved. To manually approve the WSA as a pxGrid client, follow these steps:
1. Navigate to Administrator > pxGrid Services.
2. Check the box next to the WSA and choose click Approve.
3. Confirm by clicking OK.
Additionally, it is possible to allow all certificate-authenticated clients to be auto-approved by following these steps:
1. Navigate to Administrator > pxGrid Services > Settings.
2. Check the box for Automatically approve new certificate-based accounts.
3. Click Save.
4. Confirm by clicking Yes.
Note: The auto-approve setting cannot be set if there are pending clients. Approve any pending requests before
changing the setting.
Note: In WSA 11.7, there is no communication to the ISE management node. All communication occurs over
pxGrid and ERS.
Configure ERS on WSA and test connectivity
1. Navigate to Network > Identity Services Engine.
2. Click Edit Settings.
3. Check the box next to Enable External Restful Service (ERS).
4. In the ERS Administrator Credentials field, enter the user information that was configured on ISE.
5. If the node is the same as the pxGrid node, check the box for Server name same as ISE pxGrid Node.
Otherwise, enter the required information there.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 33
6. Submit and Commit.
The administrator can now test the connection from the WSA to ISE over both pxGrid and ERS. This test can be
run by navigating to Network > Identity Services Engine > Edit Settings and clicking on Start Test at the bottom
of the page. Successful output will resemble the following:
Checking DNS resolution of ISE pxGrid Node hostname(s)...
Success: Resolved 'ise.chclasen.lab' address: 192.168.0.200
Validating WSA client certificate...
Success: Certificate validation successful
Validating ISE pxGrid Node certificate(s)...
Success: Certificate validation successful
Checking connection to ISE pxGrid Node(s)...
Trying primary PxGrid server...
Preparing TLS connection...
Completed TLS handshake with PxGrid successfully.
Trying download user-sessions...
Failure: Failed to download user-sessions.
Trying download SGT...
Able to Download 17 SGTs.
Trying connecting to primary ERS service...
Trying download user-groups...
Able to Download 9 user-groups.
Success: Connection to ISE pxGrid Node was successful
Test completed successfully.
The status of the pxGrid and ERS connection as well as a list of Security Group Tags (SGTs) and groups that have
been pulled from ISE can be checked using the isedata CLI subcommands:
● STATISTICS - Show the ISE server status and ISE statistics.
● CACHE - Show the ISE cache or check an IP address.
● SGTS - Show the ISE Secure Group Tag (SGT) table.
● GROUPS - Show the ISE Groups table.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 33
Self-signed certificates
If the administrator does not wish to use an in-house certificate authority, it is possible to complete the
configuration using the built-in self-signed certificate provided by ISE. This is done by leveraging the built-in
certificate authority on the ISE node. This section is not necessary if the previous section was used to install CA-
signed certificates.
pxGrid certificate creation (WSA)
The pxGrid service utilizes client-side certificates for mutual authentication. ISE provides a means to generate a
PKCS12 file that contains the ISE certificate chain, as well as the key pair and certificate to be used by the WSA
pxGrid client. To generate this file and extract the key and certificates, follow these steps:
1. On ISE, navigate to Administrator > pxGrid > Certificates.
2. In the I want to field, use the drop-down to choose Generate a single certificate (without a certificate
signing request).
3. Complete the certificate fields as required.
4. In the Certificate Download Format section, use the drop-down to choose PKCS12 Format.
5. Enter a password.
6. Unzip the archive file that is downloaded.
7. Use openSSL to extract the certificates and private key from the PKCS file (in the example, the file is
wsa2.p12).
Extract the ISE CA certificate chain:
openssl pkcs12 -in wsa2.p12 -cacerts -nokeys -out ise-ca.cer
Extract the WSA pxGrid certificate:
openssl pkcs12 -in wsa2.p12 -clcerts -nokeys -out wsa2.cer
Extract the WSA pxGrid private key:
openssl pkcs12 -in wsa2.p12 -nocerts -nodes -out wsa2.key
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 33
8. On the WSA, navigate to Network > Certificate Management > Manage Trusted Root Certificates.
9. Click on Import.
10. Use Browse to locate the ISE CA certificate chain and click Submit.
11. Navigate to Network > Identity Services Engine.
12. Click Edit Settings.
13. In the WSA Client Certificate section, use the Choose File options to locate the exported key and certificate.
14. Click Upload Files.
15. Submit and Commit.
Note: In WSA 11.7, all references to the monitoring node have been removed from the ISE settings page. Any
previous references have also been removed from the CLI.
Testing connectivity to pxGrid and ERS
At this point, the WSA should be attempting to communicate with ISE over pxGrid. With default settings, pxGrid
clients must be manually approved. To manually approve the WSA as a pxGrid client, follow these steps:
1. Navigate to Administrator > pxGrid Services.
2. Check the box next to the WSA and click Approve.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 33
3. Confirm by clicking OK.
Additionally, it is possible to allow all certificate-authenticated clients to be auto-approved by following these steps:
1. Navigate to Administrator > pxGrid Services > Settings.
2. Check the box for Automatically approve new certificate-based accounts.
3. Click Save.
4. Confirm by clicking Yes.
Note: The auto-approve setting cannot be set if there are pending clients. Approve any pending requests before
changing the setting.
Note: In WSA 11.7, there is no communication to the ISE management node. All communication occurs over
pxGrid and ERS.
WSA policy configuration
The WSA can use SGT information learned via the pxGrid connection to ISE as well as group information learned
using the ERS service in both decryption policies and access policies. Both criteria can be configured in a single
policy, but it is important to note that version of the WSA that was used in the creation of this guide (11.7.0) will
match on either SGT OR AD group. This is an important distinction because it represents a slight deviation in
policy matching as compared with previous versions. This is only applicable if both an SGT and an AD group are
configured in a policy.
The policy matching behavior is explained below, depending on what elements are configured (AD group, user,
or SGT):
AD groups and users: No change to previous behavior; the policy will be matched if the user is a member of
group, OR the user is specified in the policy.
SGT and AD groups and users: The policy will be matched if the user is associated with the SGT AND is a
member of the AD group, OR the user is specified in the policy.
SGT and users: The policy will be matched if the user is associated with the SGT OR the user is specified in
the policy.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 33
Identification profile
In order to use security group tags or ISE group information in the WSA policies, an identification profile must first
be created that utilizes ISE as a means to transparently identify users. To create such a policy, follow the steps
below:
1. Navigate to Web Security Manager > Identification Profiles.
2. Click Add Identification Profile.
3. Name the profile appropriately.
4. In the Identification and Authentication section, use the drop-down to choose Transparently identify users
with ISE.
5. Submit and Commit.
Decryption policy
Once the identification profile has been created, the decryption policies can be configured to use this profile and to
use SGT or group information. To configure a decryption policy to use those attributes, follow the steps below:
1. Navigate to Web Security Manager > Decryption Policies.
2. Click Add Policy.
3. Name the profile appropriately.
4. In the Identification Profiles and Users section, use the drop-down to choose Select One or More
Identification Profiles.
5. In the Identification Profiles section, use the drop-down to choose the name of the ISE identification profile.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 33
6. In the Authorized Users and Groups section, select the radio button next to Selected Groups and Users.
7. Click the hyperlink next to ISE Secure Group Tags.
Note: In instances where AD authentication is used in addition to transparent ISE authentication, there will be two
distinct types of groups that may be configured in a policy element. One will be named “Groups” and represents
AD groups that are obtained through the authentication realms configured on the WSA. The other will be named
“ISE Groups” and represents groups obtained from ISE.
8. In the Secure Group Tag Search section, check the box to the right of the desired SGT and click Add.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 33
9. Click Done to return.
10. Click the hyperlink next to ISE Groups.
11. Highlight the desired group in the search pane and click Add.
12. Click Done to return.
13. Both the selected SGT and group will now be present in the policy.
14. Submit and Commit.
Access policy
SGT and group information can also be employed in access policies. To configure an access policy to use those
attributes, follow the steps below:
1. Navigate to Web Security Manager > Access Policies.
2. Click Add Policy.
3. Name the profile appropriately.
4. In the Identification Profiles and Users section, use the drop-down to choose Select One or More
Identification Profiles.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 33
5. lick the hyperlink next to ISE Secure Group Tags.
Note: In instances where AD authentication is used in addition to transparent ISE authentication, there will be two
distinct types of groups that may be configured in a policy element. One will be named Groups and represents
AD groups that are obtained through the authentication realms configured on the WSA. The other will be named
ISE Groups and represents groups obtained from ISE.
6. In the Secure Group Tag Search section, check the box to the right of the desired SGT and click Add.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 33
7. Click Done to return.
8. Click the hyperlink next to ISE Groups.
9. Highlight the desired group in the search pane and click Add.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 33
10. Click Done to return.
11. Both the selected SGT and group will now be present in the policy.
12. Submit and Commit.
Verification
In order to confirm that the configured policies have taken effect, the administrator may examine the access logs to
ensure that traffic is being matched accordingly. Additional custom fields can be added to this log to indicate group
membership and authentication method. In WSA 11.7, there is a new custom field (%X#11#) that denotes the SGT
associated with the user. The following table describes the three custom fields that are most relevant to ISE
authentication:
Format specifier in access logs Description
%g The groups associated with a transaction.
Example: “domain.lan/Domain Users”
%m The authentication mechanism used on the transaction.
Example: SSO_TUI
%X#11# The number representing the Security Group Tag associated with an authenticated user.
Example: 4
The full list of available custom fields is available in the WSA GUI at System Administration > Log
Subscriptions > accesslogs > Custom Fields Reference.
Example access log entry with both %g, %m, and %X#11# custom fields (highlighted):
1543519369.674 205 192.168.0.50 TCP_MISS/200 5258 GET http://www.blue.com/ "cisco"
DIRECT/www.blue.com text/html DEFAULT_CASE_12-DefaultGroup-ISE_Auth-NONE-NONE-NONE-
DefaultGroup-NONE <IW_pers,-3.0,1,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,IW_pers,-,"Unknown","Personal
Sites","-","Unknown","Unknown","-","-",205.19,0,-,"Unknown","-",-,"-",-,-,"-","-",-,-,"-",-> -
"chclasen.lab/Builtin/Users,chclasen.lab/Users/Domain Users" SSO_ISE 4
Information about the ISE engine in the WSA is found in the ise_service_log. When troubleshooting, it can be
useful to change the logging level for this log to debug.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 33
The isedata CLI command provides various subcommands for verifying the status of the ISE connection as well
the state of the authentication cache. Below are examples of the output of these commands:
>isedata
Choose the operation you want to perform:
- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
- GROUPS - Show the ISE Groups table.
[]> statistics
PxGrid Connection Status: CONNECTED
PxGrid Hostname: ise.chclasen.lab
PxGrid Time of Connection: 2018-11-30T13:42:27.377060
ERS Connection Status: CONNECTED
ERS Hostname: ise.chclasen.lab:9060
ERS Time of Connection: 2018-11-29T16:23:50.302516
Session Bulk Download: 1
Group Bulk Download: 1
SGT Bulk Download: 18
Session Update: 0
Group Update: 0
Memory Allocation: 105
Memory Deallocation: 34
Choose the operation you want to perform:
- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
- GROUPS - Show the ISE Groups table.
[]> cache
Choose the operation you want to perform:
- SHOW - Show the ISE ID cache.
- CHECKIP - Query the local ISE cache for an IP address
[]> show
IP Name SGT#
192.168.10.50 cisco 4
Choose the operation you want to perform:
- SHOW - Show the ISE ID cache.
- CHECKIP - Query the local ISE cache for an IP address
[]>
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 33
Choose the operation you want to perform:
- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
- GROUPS - Show the ISE Groups table.
[]> sgts
SGT# SGT Name SGT Description
65535 ANY Any Security Group
13 Test_Servers Test Servers Security Group
3 Network_Services Network Services Security Group
7 Production_Users Production User Security Group
10 Point_of_Sale_Systems Point of Sale Security Group
11 Production_Servers Production Servers Security Group
8 Developers Developer Security Group
12 Development_Servers Development Servers Security Group
4 Employees Employee Security Group
15 BYOD BYOD Security Group
5 Contractors Contractor Security Group
255 Quarantined_Systems Quarantine Security Group
9 Auditors Auditor Security Group
2 TrustSec_Devices TrustSec Devices Security Group
0 Unknown Unknown Security Group
14 PCI_Servers PCI Servers Security Group
6 Guests Guest Security Group
16 Windows10
Choose the operation you want to perform:
- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
- GROUPS - Show the ISE Groups table.
[]>groups
GROUPS#
chclasen.lab/Users/Domain Users
chclasen.lab/Users/Contractors
GuestType_Weekly (default)
OWN_ACCOUNTS (default)
GROUP_ACCOUNTS (default)
GuestType_SocialLogin (default)
Employee
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 33
GuestType_Daily (default)
GuestType_Contractor (default)
ALL_ACCOUNTS (default)
Conclusion
The Cisco Identity Service Engine serves as a valuable tool for user authentication, authorization, and accounting.
Integrating ISE with the Cisco Web Security Appliance enables an administrator to leverage the wealth of user
identity information available over pxGrid and the ERS API to enrich their policy enforcement and reporting. This
guide has covered the basic configuration of both ISE and the WSA to allow for this exchange of information using
both CA-signed and self-signed certificates. It has also explained the basic WSA policy configuration and
verification steps required to leverage the integrated solution. The administrator should have all of the tools
required to confidently deploy the solution and configure the required policy elements to meet their needs.
Printed in USA C07-741637-00 01/19