ISE Integration with Secure Firewall
Objective
In this lesson you will integrate Cisco ISE with Cisco Secure Firewall (managed by FMC) so that Security Group Tags (SGTs) and context information (via pxGrid) are shared and enforced by the firewall. This enables identity- and device-aware firewall policies — a core Zero Trust capability. In production, this integration is used to apply user/device-based segmentation across campus and data center firewalls, allowing adaptive access controls and faster incident response.
Quick Recap
Reference the lab topology from Lesson 1. No topology changes are required except adding the management IPs for ISE and FMC used in this lesson.
ASCII Topology (management plane)
[ISE] lab-ise.lab.nhprep.com 10.10.10.10
mgmt0/0: 10.10.10.10/24
[FMC] lab-fmc.lab.nhprep.com 10.10.10.20
mgmt0/0: 10.10.10.20/24
[FTD] lab-ftd.lab.nhprep.com 10.10.10.30
mgmt0/0: 10.10.10.30/24
(Management network) 10.10.10.0/24
Device Table
| Device | Hostname | Management IP | Role |
|---|---|---|---|
| ISE | lab-ise.lab.nhprep.com | 10.10.10.10 | Identity Services Engine (pxGrid provider) |
| FMC | lab-fmc.lab.nhprep.com | 10.10.10.20 | Firepower Management Center (policy manager) |
| FTD | lab-ftd.lab.nhprep.com | 10.10.10.30 | Secure Firewall (enforcement) |
Important: For domain names use lab.nhprep.com and passwords Lab@123 in examples where credentials are required.
Key Concepts (theory + practical implications)
- Security Group Tag (SGT) — An SGT is an identity label assigned by ISE to a user or device. Think of an SGT like a role-based “color” that travels with the session. In practice, the firewall enforces policies based on SGTs (e.g., “Contractors (SGT 50) cannot reach Database servers (SGT 200)”).
- Protocol behavior: ISE assigns SGTs during authentication (e.g., 802.1X or MAB) and publishes the mapping via pxGrid to interested consumers.
- pxGrid (Platform Exchange Grid) — pxGrid is a publish/subscribe fabric for contextual data (user, device posture, SGT mappings). It uses mutual TLS and service discovery; pxGrid clients authenticate using client certificates and OAuth-style credentials.
- Packet-level flow: After mutual TLS is established, ISE publishes contextual events and allows consumers (FMC) to perform lookups for a given IP or username.
- FMC as pxGrid consumer and policy orchestrator — FMC receives identity context from ISE and maps SGTs to firewall objects/policies. The FMC pushes enforcement to FTDs; the FTD enforces traffic flows using SGTs.
- Real-world: This decouples identity from the network device — firewalls can make decisions without performing authentication themselves.
- Certificates and trust — pxGrid requires mutual trust. A CA-signed or lab CA certificate must be trusted by both ISE and FMC. If TLS fails, pxGrid registration will not succeed and SGT context will not be shared.
- Practical implication: Always verify certificate Common Name (CN) and Subject Alternative Name (SAN) and time validity.
- Operational note — In production, pxGrid traffic and FMC-to-FTD communication should be on a management network with ACLs restricting access to authorized hosts only. Monitoring pxGrid health is essential for maintaining Zero Trust policy consistency.
Step-by-step configuration
Step 1: Prepare DNS and Certificates
What we are doing: Ensure proper DNS resolution and install a management certificate so pxGrid and FMC trust each other. Proper DNS and certificates avoid TLS handshake failures between ISE and FMC.
! On the ISE appliance (CLI): set hostname and DNS
configure terminal
hostname lab-ise.lab.nhprep.com
ip domain-name lab.nhprep.com
ip name-server 10.10.10.1
exit
! On the FMC appliance (assume CLI for management tasks)
configure terminal
hostname lab-fmc.lab.nhprep.com
ip domain-name lab.nhprep.com
ip name-server 10.10.10.1
exit
! Note: Upload CA-signed certs via each product's GUI if available. Example placeholder CLI to show certificate store:
show crypto pki certificates
What just happened: We set consistent hostnames and domain names so TLS certificates match the DNS resolution used by pxGrid. The certificate store command displays installed certificates so you can verify whether a CA certificate is present and valid.
Real-world note: In production use a private PKI or public CA; avoid self-signed certs because they complicate trust and rotation.
Verify:
! Verify DNS and hostnames on ISE
show running-config | include hostname
hostname lab-ise.lab.nhprep.com
show hosts
10.10.10.20 lab-fmc.lab.nhprep.com
10.10.10.30 lab-ftd.lab.nhprep.com
! Verify certificates (example output)
show crypto pki certificates
Certificate:
Status: Available
Serial Number: 0A:1B:2C:3D
Issuer: CN=lab-ca.lab.nhprep.com
Subject: CN=lab-ise.lab.nhprep.com, SAN=lab-ise.lab.nhprep.com
Validity: 2025-01-01 to 2026-01-01
Step 2: Enable pxGrid on ISE and create a pxGrid client for FMC
What we are doing: Turn on pxGrid services on ISE and create the FMC as an authorized pxGrid client (allow FMC to read identity context). This is necessary so FMC can subscribe to SGT mappings and user context.
! Pseudocode GUI-equivalent steps represented as CLI for lab guidance
ise/admin# application configure ise
ise/admin# application name pxgrid enable
ise/admin# pxgrid client create name lab-fmc.lab.nhprep.com type "FMC" password Lab@123
ise/admin# pxgrid client show
What just happened: The pxGrid service was activated on ISE. A pxGrid client entry for the FMC was created with credentials so FMC can authenticate. The pxGrid client listing confirms FMC is registered in ISE's pxGrid client database.
Real-world note: pxGrid clients often require explicit approval in ISE; admins should log pxGrid client creation events for auditability.
Verify:
! Show pxGrid status and client list
show ise pxgrid status
pxGrid Service: Enabled
pxGrid Version: 3.0
Active Nodes: 1
show ise pxgrid clients
Client Name: lab-fmc.lab.nhprep.com
Client Type: FMC
Registration Time: 2025-03-01 08:00:00
Status: Enabled
Step 3: Configure FMC to use ISE pxGrid (register FMC as pxGrid consumer)
What we are doing: Configure FMC to connect to ISE's pxGrid endpoint using the credentials/certificates created on ISE. This allows FMC to query identity to SGT mappings and receive context events.
! On FMC CLI: configure pxGrid server details (GUI normally)
configure manager registration
set pxgrid server 10.10.10.10
set pxgrid username lab-fmc
set pxgrid password Lab@123
set pxgrid cafile /etc/pki/ca-trust/source/anchors/lab-ca.crt
commit
exit
! Display pxGrid registration status
show managers pxgrid status
What just happened: FMC was pointed at the ISE pxGrid endpoint (10.10.10.10) and given credentials to authenticate. The CA certificate was added so FMC trusts ISE's TLS certificate. The show command reports current pxGrid registration state.
Real-world note: In most deployments this step is performed in the FMC GUI under Integrations → pxGrid. Ensure time is synchronized (NTP) to prevent TLS validation failures.
Verify:
! Expected output showing FMC registered to ISE pxGrid
show managers pxgrid status
pxGrid Registration Status: Registered
pxGrid Server: 10.10.10.10
Client Name: lab-fmc.lab.nhprep.com
Last Registration Attempt: 2025-03-01 08:05:12
Last Registration Result: Success
Step 4: Configure SGT mappings on ISE (users/devices → SGT)
What we are doing: Create authorization profiles or policy sets in ISE that assign SGTs to authenticated subjects (for example, Employees → SGT 10, Contractors → SGT 50). This is how identity is converted into an enforcement label.
! Pseudocode: show the authorization profile creation and mapping
ise/admin# policy authorization-profile create name "Employees_SGT10"
ise/admin# authorization-profile set sgtnumber 10
ise/admin# policy authorization-profile create name "Contractors_SGT50"
ise/admin# authorization-profile set sgtnumber 50
! Assign profiles to policy conditions (example)
ise/admin# policy create rule name "802.1X-Employees"
ise/admin# policy match condition group membership "Employees"
ise/admin# policy then apply-profile "Employees_SGT10"
! Show SGT mappings
show policy authorization-profiles
What just happened: Two authorization profiles were created that contain SGT assignments. Authentication/authorization policy rules were associated so that when an endpoint authenticates and matches the condition (e.g., group membership), the corresponding SGT is applied. ISE will now publish these mappings via pxGrid.
Real-world note: Use clear naming conventions and document SGT-to-role mappings; accidental SGT assignment can result in broad access or unintended blockages.
Verify:
! Verify authorization profiles and SGTs
show policy authorization-profiles
Authorization Profile: Employees_SGT10
SGT: 10
Description: Employee access SGT
Authorization Profile: Contractors_SGT50
SGT: 50
Description: Contractor limited access
! Verify active SGT assignments (live sessions)
show authentication sessions
Session ID: 12345
Username: alice
Endpoint IP: 10.1.100.10
AuthZ Profile: Employees_SGT10
Assigned SGT: 10
Step 5: Map SGTs in FMC and create SGT-based access policy, deploy to FTD
What we are doing: In FMC, import or map the SGT numbers to named objects and use them in access control rules. Then deploy the policy to the managed FTD so identity-based enforcement becomes active.
! FMC CLI/GUI-equivalent actions (represented as CLI)
configure access-control sgt mapping add name "Employees" id 10
configure access-control sgt mapping add name "Contractors" id 50
! Create an access control rule that allows Employees to access App servers (SGT 200)
configure access-control rule add name "Allow_Employees_App" source-sgt Employees destination-sgt AppServers action allow
! Deploy policy to FTD
deploy policy to device lab-ftd.lab.nhprep.com
exit
! Show policy deployment and SGT mapping
show access-control sgt mappings
show access-control rules | include Allow_Employees_App
What just happened: The FMC now recognizes SGT IDs with human-friendly names and contains an access control rule leveraging SGTs. Deploying pushes the policy to FTD which will enforce traffic based on SGT tags received from ISE (via FMC mapping and distribution).
Real-world note: Policy should be staged and monitored (use logging/alerts) before broad deployment to avoid accidental access blocks.
Verify:
! Expected FMC output
show access-control sgt mappings
SGT Name: Employees SGT ID: 10
SGT Name: Contractors SGT ID: 50
SGT Name: AppServers SGT ID: 200
show access-control rules | include Allow_Employees_App
Rule Name: Allow_Employees_App
Source SGT: Employees
Destination SGT: AppServers
Action: Allow
Status: Deployed to device lab-ftd.lab.nhprep.com
! Verify on FTD that SGTs are received and enforced
show sgt associations
IP Address: 10.1.100.10 SGT: 10 Last Seen: 2025-03-01 08:20:05
show access-control policy hit-counts
Rule: Allow_Employees_App Hits: 42
Verification Checklist
- Check 1: pxGrid registration success — verify on FMC with
show managers pxgrid statusand on ISE withshow ise pxgrid clients. Expect "Registered" and client listed. - Check 2: ISE is assigning SGTs — verify on ISE with
show authentication sessionsand confirm sessions list Assigned SGT entries. - Check 3: FMC has SGT mappings and deployed policy — verify
show access-control sgt mappingsandshow access-control rulesshow SGT names/IDs and rule is Deployed. - Check 4: FTD enforces SGT-based rules — verify on FTD with
show sgt associationsandshow access-control policy hit-countsthat traffic is being allowed/blocked per rules.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| pxGrid registration fails with TLS errors | FMC does not trust ISE certificate (CA missing or CN mismatch) | Import the CA cert into FMC, ensure certificate CN/SAN matches ISE FQDN and DNS resolves correctly |
| No SGTs appear on the firewall | ISE authorization profile not assigning SGT or pxGrid subscription not configured | Verify authorization profile SGT value, check ISE pxGrid client registration and FMC pxGrid connection |
| Policy deploy shows "Deployed" but traffic not enforced | FTD did not receive SGT mapping or SGT association timed out | Verify FTD show sgt associations, confirm time sync (NTP) and management network connectivity |
| Users can access resources they should not | SGTs mapped incorrectly or policy order permits traffic earlier | Audit SGT-to-role mapping and reorder/adjust access-control rules; test in logging mode before enforce |
Key Takeaways
- pxGrid provides the real-time contextual fabric — FMC subscribes as a pxGrid client to receive SGT and identity context from ISE.
- SGTs decouple identity from network topology — you apply policy to SGTs rather than IP addresses, enabling flexible segmentation.
- Certificates, DNS, and time synchronization are common failure points for pxGrid/TLS; verify CA trust and NTP before troubleshooting higher-level issues.
- In production, validate policies incrementally: map SGTs, create logging rules, monitor hits, then switch to enforcement to avoid accidental outages.
Tip: Think of ISE as the “identity labeler” and FMC/FTD as the “policy enforcer.” pxGrid is the secure messenger between them. This separation of responsibilities is what makes scalable Zero Trust enforcement possible across many firewalls and sites.