1. No category

PDF

Cisco ISE and WSA Integration Guide
Cisco ISE and WSA Integration 2
Overview of Cisco ISE and WSA Integration 2
ISE-WSA Deployment 2
Supported ISE and WSA Versions 3
Cisco ISE and WSA Integration Workflow 3
View User Status Using WSA Reporting 16
Troubleshoot ISE-WSA Integration Issues Using Log Files 16
Troubleshoot ISE-WSA Integration Issues - ISE Server Connectivity 18
Overview of SMA in Relation to ISE-WSA Integration 19
Revised: September 12, 2016,
Cisco ISE and WSA Integration
Overview of Cisco ISE and WSA Integration
Integration of the Cisco Identity Services Engine (ISE) and Web Security Appliance (WSA) enables WSA to use a rich set of features
offered by ISE to identify an endpoint and apply appropriate access policies, most important of which would be the TrustSec Secure
Group Tagging (SGT) feature. Using the TrustSec SGT feature, you can classify users into different identity groups. For example,
users who belong to a secure group, SGT10, will be able to access only certain social networking sites. The access policies in WSA
are created using SGT tags that ISE assigns to a user session.
Authentication methods, such as 802.1X, are not supported by WSA. By integrating WSA with ISE, you can authenticate a WSA
user via ISE by using the 802.1X authentication methods that are more secure. The Cisco pxGrid feature enables sharing of context-based
information from Cisco ISE to WSA to authorize users and apply appropriate policies.
ISE-WSA Deployment
Cisco ISE and WSA integration allows you to identify users based on their IP addresses, Cisco WSA obtains the IP-User mapping
from Cisco ISE. In order to reduce the latency and performance impact, it is recommended that you maintain a minimum distance
between Cisco ISE and WSA in a deployment.
The figure below depicts the Cisco ISE-WSA integration workflow.
2
Supported ISE and WSA Versions
• Cisco ISE, Release 1.3
• Cisco WSA, Release 8.7.0 and higher
Cisco ISE and WSA Integration Workflow
Steps to be followed to integrate Cisco ISE with WSA:
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Create SGTs for WSA Clients.
Set Up the WSA.
Configure ISE Features on WSA.
Create Identity Profiles for WSA Clients.
Create Access Policies for WSA Clients.
3
Create SGTs for WSA Clients
To initiate the integration, you need to create a new identity group, (for example, IDGroup3) for the users and link this identity group
to an SGT, (for example, SGTGroup3). Finally, you need to create a policy set that uses IEE 802.1X authentication for users belonging
to the identity group that you created earlier.
Before You Begin
• Ensure that you delete all existing WSA clients from ISE server (Administration > pxGrid Services > Clients).
• Ensure that the WSA client IP addresses are populated in ISE to process requests from WSA.
• Ensure that the pxGrid services are enabled. Verify that the Connected to pxGrid message is displayed in the pxGrid services
page. (Administration > pxGrid Services)
• Ensure that you have generated the CA-signed certificates.
• Ensure that you restart the ISE server whenever you change the certificates on the ISE server.
• Choose Administration > Certificates > Trusted Certificates > Import to import the pxGrid certificate, ISE server admin
certificate and WSA certificate and keys, to enable two-way communication between ISE and WSA.
• Choose the Administration > System > Deployment > General Settings page in the Personas section and check the pxGrid
check box to facilitate communication between ISE and WSA.
• Choose Administration > pxGrid Services and select the Enable Auto-Registration option. If the Auto-Registration option
is disabled, the ISE server admin has to manually allow WSA client registration when the WSA pxGrid client tries to connect
to the pxGrid server on ISE.
• Choose Administration > Certificates > Trusted Certificates > Edit page to edit the WSA certificate. Check all the check
boxes under the Trusted For option in the Usage section.
• Choose the Administration > System > Settings > Protocols > ERS Settings page and enable the Enable ERS for Read/Write
option in the ERS Setting for Primary Administration Node section to enable the REST server to communicate with the
WSA.
Procedure
Step 1
4
Choose Administration > Identity Management > Groups > Add to create WSA user identity groups.
Step 2
Choose Policy > Policy Elements > Results > TrustSec > Security Groups > Add to define the required WSA-related
SGTs in the Security Groups page.
5
Step 3
Step 4
6
Choose Administration > Identity Management > Identities > Users.
Click Add to create the network access users.
7
Users are assigned to different ID groups.
Step 5
8
Choose Policy > Policy Sets > WirelessWGA > Authorization Policy to create the rules that are applicable to the identity
and SGT groups.
Figure 1:
What to Do Next
You should configure the WSA for the ISE-WSA integration.
Set Up the WSA
Before You Begin
• Connect the WSA appliance to networks and devices.
• Complete the System Setup Wizard worksheet.
• If you are planning to run the System Setup Wizard on a virtual appliance, use the loadlicense command to load the virtual
appliance license. For complete information, see the Cisco Content Security Virtual Appliance Installation Guide at http://
www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.
9
Procedure
Step 1
Step 2
Open a browser and enter the IP address of the WSA. The first time you run the System Setup Wizard, use the default IP
address: https://192.168.42.42:8443 -or http://192.168.42.42:8080 where 192.168.42.42 is the default IP address, 8080 is
the default admin port setting for HTTP, and 8443 is default admin port for HTTPS. If the appliance is already configured,
use the IP address of the M1 port.
Enter the username and password to when the appliance login screen appears. By default, the appliance ships with the
following username and password:
• Username: admin
• Password: ironport
Step 3
Choose System Administration > System Setup Wizard to open the welcome page that contains four tabs: Start,
Network, Security, and Review.
Step 4
If the appliance is already configured, you will be warned that you are about to reset the configuration. To continue with
the System Setup Wizard, click the Reset Configuration button. The appliance will reset and the browser will refresh
to the appliance home screen.
In the Start tab, read and accept the terms of the end user license agreement.
Click Begin Setup to continue.
In the Network tab, configure all settings using the provided reference tables as required.
In the Security tab, configure all settings.
In the Review tab, review the configuration information. If you need to change an option, click the Edit button for that
section.
Click Install This Configuration.
Next Steps page should appear once the configuration is installed. However, depending on the IP, hostname, or DNS
settings you configured during setup, you may lose connection to the appliance at this stage. If a "Page not found" message
is displayed in your browser, change the URL to reflect any new address settings and reload the page. Then continue with
any post setup tasks you wish to perform.
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Configure ISE Features on WSA
Before You Begin
• Obtain the ISE server hostname or IP address.
• Obtain WSA client authentication certificate and key files, if you are using an externally generated certificate/key combination.
• Obtain the ISE Admin certificate for WSA data initialization.
• Obtain the ISE pxGrid certificate for WSA data subscription.
10
Procedure
Step 1
Choose Network > Identity Services Engine to open the Identity Services Engine configuration page.
Step 2
Step 3
Step 4
Step 5
Click Edit Settings to add or update the WSA client, ISE admin, and pxGrid certificates.
Verify that the Enable ISE Service checkbox is checked to enable the ISE service.
Identify the ISE server by using its host name or IPv4 address.
Select the method you want to use to provide a client certificate for the WSA-ISE server mutual authentication:
• Use Uploaded Certificate and Key—Upload and choose the files, as necessary.
• Or, Use Generated Certificate and Key—Generate a new certificate and key, if necessary.
◦Click Generate New Certificate and Key.
◦In the Generate Certificate and Key dialog box, enter the information to display in the signing certificate.
◦Click Generate.
◦Click the Download Certificate Signing Request (DCSR) link to submit it to a Certificate Authority (CA).
After you receive a signed certificate from the CA, click Browse and navigate to the signed certificate location.
Click Upload File.
◦Add the CA root under Administration > Certificates > Trused Certificates on ISE Server, if not already
present.
• Or, If the user does not prefer to use the CA signed WSA client certificate:
◦Click on Download Certificate and download the certificate to a local folder.
◦Upload this certificate to Administration > Certificates > Trused Certificates in the ISE server.
Step 6
Step 7
Step 8
Step 9
If using a locally saved WSA client certificate and key, ensure that the certificate is available in the Administration >
Certificates > Trusted Certificates path. Or, import the certificate by navigating to Administration > Certificates >
Trusted Certificates > Import path on the ISE server Admin UI.
Provide an ISE Admin Certificate for use in bulk download of ISE user-profile data to the WSA. Browse to and select the
certificate file, and then click Upload Files. See Uploading a Root Certificate and Key, page 22-25 for additional information.
Provide an ISE pxGrid Certificate for WSA-ISE data subscription (ongoing queries to the ISE server). Browse to and
select the certificate file, and then click Upload Files. See Uploading a Root Certificate and Key, page 22-25 for additional
information.
(Optional) Click Start Test. The test:
• Resolves the ISE host name to its corresponding IP address.
• Validates the WSA client certificate.
• Validates the ISE pxGrid certificate.
• Validates the ISE Admin certificate.
• Checks the connection to the ISE pxGrid and retrieves the SGTs.
• Checks the connection to the REST server.
11
Step 10
Click Submit, and then click Commit Changes.
WSA Identification Profile Settings
Choose Web Security Manager > Identification Profiles > Add Identification Profile to create the identity profile for the WSA
clients that need to be authenticated through ISE. The Identification Profiles page contains the following sections:
Section
Description
Client /User Identification
Profiles
Enable Identification Profile:
• Name— Enter a name for the identification profile.
• Description—Enter the description.
• Insert Above— Enter the order in which polices should be matched to an incoming request
(top to bottom).
User identification
Transparently identify users with ISE—The username and associated SGTs will be obtained
from ISE.
Fallback to Authentication
Realm or Guest Privileges
If user authentication is not available from ISE:
• Support Guest Privileges— The user can be proxied through WSA and can be authenticated
as a guest.
• Require Authentication— The user can be proxied through WSA and can be authenticated
by using protocols such as Windows NT Lan Manager ( NTLM), Lightweight Directory
Access Protocol (LDAP), Kerberos, or Transparent User Identification (TUI).
• Block Transactions— Do not allow Internet access to users who cannot be identified by
ISE.
The options for Fallback to Authentication Realm or Guest Privileges change according to the selection made.
Fallback to Authentication Realm or
Guest Privileges Options
Description
Support Guest Privileges
No changes
12
Fallback to Authentication Realm or
Guest Privileges Options
Description
Require Authentication
Select a Realm or Sequence:
• authLDAP
• ntlmrealm
• All Realms
Authentication Surrogates:
• IP Address—The Web Proxy tracks an authenticated user at a particular IP
address. For TUI, select this option.
• Persistent Cookie—The Web Proxy tracks an authenticated user on a particular
application by generating a persistent cookie for each user per application. Closing
the application does not remove the cookie.
• Session Cookie—The Web Proxy tracks an authenticated user on a particular
application by generating a session cookie for each user per domain per
application. (However, when a user provides different credentials for the same
domain from the same application, the cookie is overwritten.) Closing the
application removes the cookie.
Block Transactions
No changes
Create Identity Profiles for WSA Clients
You should create an identification profile for WSA Clients and assign guest privileges to users on the subnet 10.4.100.0/24.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Choose Web Security Manager > Identification Profiles > Add Identification Profile.
In the Enable Identification Profile section, enter the required details.
In the User Identification Method section, choose Transparently Identify Users with ISE and Support Guest Privileges.
In the Membership Definition section, enter a subnet address, (for example, 10.4.100.0/24).
In the Define Members by Protocol section, select the required option (for example, HTTP/HTTPS and Native FTP
options).
Click Submit.
13
You can also choose to completely block a user or an endpoint.
Create Access Policies for WSA Clients
You have created the identification profile for users on the subnet 10.4.100.0/24. You need to verify that the SGTs are retrieved from
ISE so that you can associate the access policy to the required SGT.
Note
Alternatively, use the CLI command isedata to verify the retrieved ISE SGTs.
Procedure
Step 1
14
Choose Web Security Manager > Access Policies > Add Policy.
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
In the Policy Settings section, enter the required details.
In the Policy Member Definition section, choose Select One or More Identification Profiles from the Identification
Profiles and Users drop-down list.
From the Select Identification Profile drop-down list, choose the policy that you had created earlier.
In the Authorized Users and Groups column, select Selected Groups and Users.
Click the No Tags Entered link to get the SGTs from the ISE server. (The list is the same as in ISE Policy> Results >
Trustsec > Security Groups page.)
Choose the required SGTs, (for example, SGTgroup3) and click Add to append the selected SGTs to the Authorized
Secure Group Tags section.
Click Done to add the selected SGTs to the access policy.
15
The WSA profile will be linked to the SGT that you created.
View User Status Using WSA Reporting
After you have created the identity profiles and access polices for a user, you can check their status when they log on to the network.
Navigate to the Reporting > Web Tracking page, enter the required fields, and click Search to view the output in the Results section.
For example, if User3 is authenticated by ISE you can view the text "Identified by ISE" along with the client IP address in the report.
For guest users and blocked IP addresses, only the client IP address is displayed. For complete information, see the Web Tracking
Page, in the WSA User guide.
Troubleshoot ISE-WSA Integration Issues Using Log Files
The WSA records its activities related to system and traffic management in its log files. The logs related to ISE-WSA integration are
the W3C logs, access logs, ISE logs, and proxy logs. You can use these logs to monitor and troubleshoot issues related to the integration.
Log File
Function
WSA GUI Path
SSH Commands
W3CLogs
Records Web Proxy client
history in a W3C compliant
format.
System Administration > Log
Subscriptions
Depends on the GUI
configuration—System
Administration > Log
Subscriptions / logconfig.
Access Logs
Records Web Proxy client
history.
System Administration > Log
Subscriptions > accesslogs
ssh admin@WSA
16
tail ise_service_log
Log File
Function
ISE Logs
Records messages related to System Administration > Log
using ISE such as
Subscriptions > ise_service_log
communication success or
failure with ISE server.
ssh admin@WSA
Records errors related to the System Administration > Log
Web Proxy. This is the most Subscriptions > proxylogs
basic of all Web Proxy
related logs. To troubleshoot
more specific aspects related
to the Web Proxy, create a
log subscription for the
applicable Web Proxy
module.
ssh admin@WSA
Proxy Logs
WSA GUI Path
SSH Commands
tail ise_service_log
tail proxylogs
Access Log Files - Examples
Given below are some examples of access log files that can be used for troubleshooting.
Example 1: Access policy applied to a user found in the ISE cache without an SGT.
1424330486.386 320 10.19.75.75 TCP_MISS/200 68632 GET http://www.bing.com/ "user1" DIRECT/www.bing.com text/html
DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup
<IW_srch,6.1,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"-","-","Bing","Search
Engine","-","-",1715.80,0,-,"-","-",1,"-",-,-,"-","-"> - SSO_ISE
Example 2: Access policy applied to a user in the ISE cache with matching SGT.
1424331112.566 0 10.19.75.75 TCP_DENIED/403 0 GET http://www.bing.com/ "user1" NONE/- BLOCK_WEBCAT_12-BYODPolicy-DefaultGroup-NONE-NONE-NONE-NONE
<IW_srch,6.1,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-">
- SSO_ISE
Example 3: Access policy with fallback to guest.
1424330523.414 155 172.29.177.25 TCP_MISS/200 68647 GET http://www.bing.com/ "(Unauthenticated)172.29.177.25"
DIRECT/www.bing.com text/html DEFAULT_CASE_12-DefaultGroup-Default
Group-NONE-NONE-NONE-DefaultGroup
<IW_srch,6.1,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"-","-","Bing","Search
Engine","-","-",3543.07,0,-,"-","-",1,"-",-,-,"-",""> - GUEST
Example 4: Access policy with fallback to block transaction.
1424331683.561 0 172.29.177.25 TCP_DENIED/403 0 GET http://www.bing.com/ - NONE/- OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE
<-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-">
- NONE
17
ISE Log File - Example
Given below is an example of the ISE log file that can be used for troubleshooting.
Thu
Thu
Thu
Thu
Thu
Thu
Thu
Thu
Thu
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
12
12
12
12
12
12
12
12
12
20:41:29
20:41:30
20:41:30
20:41:30
20:41:30
20:41:30
20:41:30
20:41:31
20:41:32
2015
2015
2015
2015
2015
2015
2015
2015
2015
Info:
Info:
Info:
Info:
Info:
Info:
Info:
Info:
Info:
Begin Logfile
ISEService: Successfully loaded configuration from: /data/ise/ise_service.ini
ISEService: RPC Server Socket :/tmp/ise_fastrpc.sock
RPCServer: Starting at: /tmp/ise_fastrpc.sock
ISEService: Running
ISEDynamicConfigThread: Started Server..
ISEService: Sending ready signal...
ISEBulkDownloader: Downloaded 12 SGTs in 0.162157773972 seconds
ISEBulkDownloader: Downloaded 0 sessions in 0.316617965698 seconds
Troubleshoot ISE-WSA Integration Issues - ISE Server Connectivity
This section describes problems that you may encounter while integrating ISE with WSA.
• Network Problem: You may encounter connectivity issues with the configured ISE server ports. For example, you may encounter
Firewall issues with Port 5222. You can debug the network problem by using telnet and tcpdump commands.
• Certificate Problems:
Certificate
CA signed
You may encounter an issue if
• The Admin or pxGrid certificate root CA is not present
in the WSA.
• The root CA that signed the WSA client certificate is not
present in the ISE Trusted Certificates Store.
Self-signed
• The WSA client certificate is not present in the ISE
Trusted Certificates Store.
• The ISE Admin or pxGrid certificate is not present in the
WSA.
All
• Certificates that were valid during upload have expired
on the current date.
• Identity Mapping Query Problems: You may encounter a problem in:
• Downloading SGTs from the ISE server, despite the successful SSL handshake on Port 443. You should debug the problem
on the ISE server.
• WSA denying access to a user who is authenticated by ISE. Use the isedata cache and isedata statistics commands.
• Packet Capture: You can capture and display TCP/IP and other packets being transmitted or received over the network to which
the appliance is attached. Refer to the Packet Capture page in the WSA User Guide.
• Policy Trace: Refer to the Tracing Client Requests page in the WSA User Guide.
18
Overview of SMA in Relation to ISE-WSA Integration
Cisco Content Security Management Appliance (SMA) is a unified management platform that manages web security, performs
troubleshooting, as well as maintaining space for data storage for months or even years. It is a centralized system used to collectively
manage and report the WSAs that are deployed in a network. For example, if there are five WSAs in your deployment, then the report
displayed on the SMA is a consolidated one of all the WSAs. You cannot view the reports on the WSA after assigning it to the SMA.
A feature is supported on the SMA only when it is supported on the associated WSA.
The SMA contains information related to whether a WSA is configured with ISE or not. If it is configured, the SMA contains
information related to the SGTs. You can utilize the SGTs to create WSA policies on the SMA. The SMA periodically updates the
information related to ISE, approximately every 5 minutes. You can create a standard configuration and publish it all the WSAs
present in a deployment. The SMA Graphic User Interface (GUI) resembles the WSA but for few features that are unique to it.
In the SMA, choose Web > Utilities > Web Appliance Status and click the required WSA to find out if ISE is enabled.
19
© 2015
Cisco Systems, Inc. All rights reserved.
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA 95134-1706
USA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV
Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the
Cisco Website at www.cisco.com/go/offices.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz