Cisco Cisco Web Security Appliance S670 User Guide

Be sure each ISE server is configured appropriately for WSA access; see 

Obtain ISE server connection information.

Obtain valid ISE-related certificates (client, Portal and pxGrid) and keys. See also 

 for related information.

Choose Network > Identification Service Engine.

Click Edit Settings. 

Check Enable ISE Service.

Identify the Primary ISE pxGrid Node using its host name or IPv4 address.

Provide an ISE pxGrid Node Certificate for WSA-ISE data subscription (on-going queries to the 
ISE server).

Browse to and select the certificate file, and then click Upload File. See 

 for additional information.

If using a second ISE server for failover, identify the Secondary ISE pxGrid Node using its host name 
or IPv4 address.

Provide the secondary ISE pxGrid Node Certificate.

Browse to and select the certificate file, and then click Upload File. See 

 for additional information.

During failover from primary to secondary ISE servers, any user not in the existing ISE SGT 
cache will be required to authenticate, or will be assigned Guest authorization, depending on 
your WSA configuration. After ISE failover is complete, normal ISE authentication resumes.

Upload the ISE Monitoring Node Admin Certificates:

Provide the Primary ISE Monitoring Node Admin Certificate for use in bulk download of ISE 
user-profile data to the WSA.

Browse to and select the certificate file, and then click Upload File. See 

 for additional information.

If using a second ISE server for failover, provide the Secondary ISE Monitoring Node 
Admin Certificate.

Provide a WSA Client Certificate for WSA-ISE server mutual authentication:

This must be a CA trusted-root certificate. See 

 for 

related information.

For both the certificate and the key, click Choose and browse to the respective file.

If the Key is Encrypted, check this box.