Cisco Cisco Web Security Appliance S170 사용자 가이드
8-2
AsyncOS 8.7 for Cisco Web Security Appliances User Guide
Chapter 8 Integrate the Cisco Identity Services Engine
Tasks for Integrating the Identity Services Engine Service
These certificates can be Certificate Authority (CA)-signed or self-signed. AsyncOS provides the option
to generate a self-signed WSA Client Certificate, or a a Certificate Signing Request (CSR) instead, if a
CA-signed certificate is needed. Similarly, the ISE server provides the option to generate self-signed
Admin and pxGrid certificates, or CSRs instead, if CA-signed certificates are needed.
to generate a self-signed WSA Client Certificate, or a a Certificate Signing Request (CSR) instead, if a
CA-signed certificate is needed. Similarly, the ISE server provides the option to generate self-signed
Admin and pxGrid certificates, or CSRs instead, if CA-signed certificates are needed.
Please note the following caveats regarding both the WSA- and ISE-related certificates:
•
In the case of self-signed certificates, the ISE pxGrid and Admin certificates both must in the
Trusted Certificates list on the ISE server, and the WSA Client certificate also must be in the ISE
Trusted Certificates list.
Trusted Certificates list on the ISE server, and the WSA Client certificate also must be in the ISE
Trusted Certificates list.
•
In the case of CA-signed certificates:
–
The appropriate CA root certificate must be present in the Trusted Certificates list on the ISE
server (Administration > Certificates > Trusted Certificates).
server (Administration > Certificates > Trusted Certificates).
–
The appropriate CA root certificate(s) must be present in the Trusted Certificates list on the
WSA (Network > Certificate Management > Manage Trusted Root Certificates). If not present,
upload the CA root certificate(s) for the Primary pxGrid and Admin certificates to the ISE
configuration page.
WSA (Network > Certificate Management > Manage Trusted Root Certificates). If not present,
upload the CA root certificate(s) for the Primary pxGrid and Admin certificates to the ISE
configuration page.
Tasks for Integrating the Identity Services Engine Service
Step
Task
Links to Related Topics and Procedures
1
Configure WSA
Client certificate.
Client certificate.
•
Create or upload a CA-signed or self-signed WSA Client certificate
to the WSA. Download the certificate for upload to the ISE server.
See
to the WSA. Download the certificate for upload to the ISE server.
See
.
2
Add WSA Client Certificate
to ISE server.
to ISE server.
•
On the ISE server, import the WSA Client certificate downloaded
from the WSA in the previous step, adding it to the Trusted
Certificate list. (Navigate to Administration > Certificates > Trusted
Certificates > Import.)
from the WSA in the previous step, adding it to the Trusted
Certificate list. (Navigate to Administration > Certificates > Trusted
Certificates > Import.)
3
Configure ISE Admin and
pxGrid certificates on the
ISE server.
pxGrid certificates on the
ISE server.
•
On the ISE server, navigate to Administration > Certificates page.
–
For CA-signed certificates, generate two Certificate Signing
Requests, one each for Admin and pxGrid Usage, and then have
the certificates signed. Verify that the CA root certificate is
present in the ISE server’s Trusted Certificates list.
Requests, one each for Admin and pxGrid Usage, and then have
the certificates signed. Verify that the CA root certificate is
present in the ISE server’s Trusted Certificates list.
Upon receipt of the signed certificates, upload them to the ISE
server, Perform the Bind the CA Signed Certificate operation for
both, and then restart the ISE server.
server, Perform the Bind the CA Signed Certificate operation for
both, and then restart the ISE server.
–
For self-signed certificates, navigate to Administration >
Certificates > System Certificates, and generate one or two Self
Signed Certificates, one each for Admin and pxGrid. (You can
also elect to generate one common certificate for both.)
Certificates > System Certificates, and generate one or two Self
Signed Certificates, one each for Admin and pxGrid. (You can
also elect to generate one common certificate for both.)
Export the self-signed certificate(s) for import on the WSA.
Note
Ensure the appropriate certificates are added to the Trusted
Certificates list, as discussed in
Certificates list, as discussed in