Cisco Cisco Identity Services Engine 1.0.4 トラブルシューティングガイド
Related Information
Introduction
The Identity Services Engine (ISE) Version 1.3 supports a new API called pxGrid. This modern and flexible
protocol that supports authentication, encryption, and privileges (groups) allows for easy integration with
other security solutions. This document describes the usage of pxLog application which has been written as a
proof of concept. pxLog is able to receive syslog messages from Intrusion Prevention System (IPS) and send
pxGrid messages to the ISE in order to quarantine the attacker. As a result, ISE uses RADIUS Change of
Authorization (CoA) in order to change the authorization status of the endpoint that limits the network access.
All of this happens transparently to the end user.
protocol that supports authentication, encryption, and privileges (groups) allows for easy integration with
other security solutions. This document describes the usage of pxLog application which has been written as a
proof of concept. pxLog is able to receive syslog messages from Intrusion Prevention System (IPS) and send
pxGrid messages to the ISE in order to quarantine the attacker. As a result, ISE uses RADIUS Change of
Authorization (CoA) in order to change the authorization status of the endpoint that limits the network access.
All of this happens transparently to the end user.
For this example, Snort has been used as the IPS, but any other solution could be used. Actually it does not
have to be an IPS. All that is required is to send the syslog message to pxLog with the IP address of the
attacker. This creates a possibility for the integration of a large number of solutions.
have to be an IPS. All that is required is to send the syslog message to pxLog with the IP address of the
attacker. This creates a possibility for the integration of a large number of solutions.
This document also presents how to troubleshoot and test pxGrid solutions, with the typical problems and
limitations.
limitations.
Disclaimer: The pxLog application is not supported by Cisco. This article has been written as a proof of
concept. The primary purpose was to use it during the betatesting of pxGrid implementation on the ISE.
concept. The primary purpose was to use it during the betatesting of pxGrid implementation on the ISE.
Prerequisites
Requirements
Cisco recommends that you have experience with Cisco ISE configuration and basic knowledge of these
topics:
topics:
ISE deployments and authorization configuration
•
CLI configuration of Cisco Catalyst Switches
•
Components Used
The information in this document is based on these software and hardware versions:
Microsoft Windows 7
•
Cisco Catalyst 3750X Series Switch Software, Versions 15.0 and Later
•
Cisco ISE Software, Versions 1.3 and Later
•
Cisco AnyConnect Mobile Security with Network Access Manager (NAM), Version 3.1 and Later
•
Snort Version 2.9.6 with Data Acquisition (DAQ)
•
pxLog Application Installed on Tomcat 7 with MySQL Version 5
•
Network Diagram and Traffic Flow