Cisco Cisco Web Security Appliance S370 Guia Do Utilizador
8-4
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 8 Integrate the Cisco Identity Services Engine
Tasks for Integrating the Identity Services Engine Service
Note
Whenever you upload or change certificates on the ISE server, you must restart the ISE service. Also, a
few minutes may be required before the services and connections are restored.
few minutes may be required before the services and connections are restored.
4
Ensure the ISE server is
configured appropriately for
WSA access.
configured appropriately for
WSA access.
Each ISE server must be configured to allow identity topic subscribers
(such as WSA) to obtain session context in real-time. The basic steps are:
(such as WSA) to obtain session context in real-time. The basic steps are:
•
Ensure “Enable Auto Registration” is turned ON (Administration >
pxGrid Services > Top Right).
pxGrid Services > Top Right).
•
Delete all existing WSA clients from the ISE server (Administration
> pxGrid Services > Clients).
> pxGrid Services > Clients).
•
Be sure the ISE server footer (Administration > pxGrid Services)
says “Connected to pxGrid.”
says “Connected to pxGrid.”
•
Configure SGT groups on ISE server (Policy > Results > TrustSec >
Security Groups).
Security Groups).
•
Configure policies that associate the SGT groups with users.
Refer to
more information.
5
Add ISE Admin and pxGrid
certificate(s) to the WSA for
each ISE server.
certificate(s) to the WSA for
each ISE server.
•
If using CA-signed certificates, verify the Certificate Authority that
signed these two certificates is listed in Trusted Root Certificates
section on the WSA. If not, import the CA root certificate. See
signed these two certificates is listed in Trusted Root Certificates
section on the WSA. If not, import the CA root certificate. See
Note
The ISE Admin Certificate and ISE pxGrid Certificate fields
can be left blank on the WSA’s Identity Services Engine page
if using CA-signed certificates.
can be left blank on the WSA’s Identity Services Engine page
if using CA-signed certificates.
•
If using self-signed certificates, add the certificate file(s) exported from
the ISE server to the WSA’s Identity Services Engine page. If using a
single certificate for both Admin and pxGrid, upload the file twice, once
each in the ISE Admin Certificate and ISE pxGrid Certificate fields. See
the ISE server to the WSA’s Identity Services Engine page. If using a
single certificate for both Admin and pxGrid, upload the file twice, once
each in the ISE Admin Certificate and ISE pxGrid Certificate fields. See
6
Configure the WSA for ISE
access and logging.
access and logging.
•
.
•
Add the custom field
%m
to the Access Log to log the Authentication
mechanism –
.
•
Verify that the ISE Service Log was created; if it was not, create it –
.
•
Ensure the ISE Service Log was created; if not, add it –
.
•
Define Identification Profiles that access ISE for user identification
and authentication –
and authentication –
.
•
Configure access policies that utilize ISE identification to define
criteria and actions for user requests –
criteria and actions for user requests –
Step
Task
Links to Related Topics and Procedures