Cisco Cisco Web Security Appliance S690 User Guide

On the ISE server, add 
ISE Admin and pxGrid 
certificates.

Navigate to the Administration > Certificates page, and generate or 
upload ISE Admin and pxGrid certificates:

For CA-signed certificates, generate two Certificate Signing 
Requests, one each for Admin and pxGrid Usage, and then have 
the certificates signed.

Upon receipt of the signed certificates, upload both to the 
ISE server.

Perform the “Bind the CA Signed Certificate” operation for both.

Be sure to add the CA root certificate to the ISE server’s Trusted 
Certificates store.

Restart the ISE server.

For self-signed certificates, navigate to Administration > 
Certificates > System Certificates, and generate two Self Signed 
Certificates, one each for Admin and pxGrid. (You can also elect 
to generate one common certificate for both.)

Add both to the Trusted Certificates store.

Export the self-signed certificate(s) for import onto the WSA.

Ensure the appropriate self-signed or CA root certificates for 
these ISE Admin and pxGrid certificates are added to the Trusted 
Certificates store, as discussed in 

Ensure the ISE server is 
configured appropriately for 
WSA access.

Each ISE server must be configured to allow identity topic subscribers 
(such as WSA) to obtain session context in real-time. The basic steps are:

Ensure “Enable Auto Registration” is turned ON (Administration > 
pxGrid Services > Top Right).

Delete all existing WSA clients from the ISE server (Administration 
> pxGrid Services > Clients).

Be sure the ISE server footer (Administration > pxGrid Services) 
says “Connected to pxGrid.”

Configure SGT groups on ISE server (Policy > Results > TrustSec > 
Security Groups).

Configure policies that associate the SGT groups with users.

Refer to 

more information.