ISE pxGrid Integration
ISE pxGrid Integration
Introduction
As networks grow more complex, the ability to share security context between platforms becomes essential. Cisco Identity Services Engine (ISE) does not operate in isolation — it collects a wealth of information about users, endpoints, and sessions that other systems such as firewalls, SIEM platforms, and Software-Defined Access (SDA) controllers need in order to make intelligent policy decisions. The technology that makes this real-time context sharing possible is pxGrid (Platform Exchange Grid).
In this lesson, we will explore how pxGrid works within ISE, how it fits into the broader ISE distributed architecture, and how it enables integration with partner ecosystem tools. By the end of this lesson, you will understand the pxGrid persona and its role in ISE deployments, the publish-subscribe communication model pxGrid uses, the types of context data shared through pxGrid, and how pxGrid ties into segmentation through Security Group Tags (SGTs) and Adaptive Network Control (ANC).
Key Concepts
What Is pxGrid?
pxGrid is a websocket-based API framework built into ISE that allows multiple security products to share context in real time. Unlike traditional REST APIs where a client sends a request and waits for a response, pxGrid uses a publisher/subscriber model over persistent websocket connections. Once a subscriber connects and registers interest in a topic, it receives updates automatically whenever new data is published.
The key difference between the two API types available in ISE is summarized below:
| Feature | OpenAPI / ERS API | pxGrid (Websocket API) |
|---|---|---|
| Connection type | Individual request-response | Persistent websocket connection |
| URL scheme | https:// | wss:// |
| Operations | GET, POST, PUT, DELETE on data | Monitor live activity, share context |
| Use case | Querying or modifying configuration data | Real-time context sharing with third parties |
| Introduced | ERS legacy; OpenAPI from ISE 3.1+ | Available across ISE versions with pxGrid persona |
pxGrid Topics and Exchange Data
pxGrid organizes shared data into topics. Subscribers register for the topics they need, and ISE publishes updates as events occur. The primary exchange topics include:
- TrustSec Metadata — SGT names and their numeric identifiers (e.g., Employee = SGT-10, Contractor = SGT-20)
- Session Directory — Active session details such as a user identity, device type, connected SSID, and endpoint attributes (e.g., "Bob with Win10 on CorpSSID")
- SGT-to-IP Mapping — Bindings between IP addresses and their assigned SGTs, enabling downstream enforcement
Adaptive Network Control (ANC)
Adaptive Network Control is a remediation framework within ISE that can be triggered through pxGrid. Partner ecosystem tools — such as SIEM, MDM, network behavior analytics (NBA), IPS, and IPAM solutions — can consume context from ISE and, when a threat is detected, send a remediation action back through pxGrid using ANC. This allows an external system to quarantine or restrict an endpoint without requiring manual administrator intervention.
The flow works as follows: ISE publishes session and context data to pxGrid subscribers. A partner tool (for example, a SIEM) detects anomalous behavior. The SIEM sends an ANC action back to ISE via pxGrid. ISE then applies the remediation policy to the endpoint on the network.
Key Point: ANC is configured under the ISE administration interface. It enables automated, closed-loop threat response across the partner ecosystem without requiring direct access to network devices.
How It Works
The pxGrid Persona in ISE Architecture
ISE uses a persona-based architecture where each node in a distributed deployment can take on one or more roles. The pxGrid Controller is one of these personas:
| Persona | Maximum per Deployment | Role |
|---|---|---|
| Policy Administration Node (PAN) | 2 | Central policy configuration and database replication |
| Policy Services Node (PSN) | 50 | Handles RADIUS authentication, authorization, profiling |
| Monitoring & Troubleshooting (MnT) | 2 | Collects logs, audit data, and reporting |
| pxGrid Controller | 4 | Manages context-sharing bus for all pxGrid clients |
A standalone ISE node runs all personas on a single appliance, which is suitable only for lab environments supporting up to 100 endpoints. In production, these personas are distributed. A typical medium multi-node deployment would use 2 nodes running PAN, MnT, and pxGrid personas, plus up to 6 dedicated PSNs. A large deployment separates all personas: 2 PANs, 2 MnTs, up to 4 pxGrid Controllers, and up to 50 PSNs.
pxGrid and the Profiling Pipeline
When the pxGrid persona is enabled alongside the pxGrid probe on a PSN, ISE gains additional profiling capabilities. Specifically, the IOTAsset attribute fields are added to endpoint records, enriching endpoint classification data. This is particularly valuable in environments with IoT devices that do not authenticate via 802.1X.
ISE profiling collects endpoint data through multiple mechanisms:
- Device Sensor on network access devices consolidates MAC, DHCP, and LLDP attributes into RADIUS accounting messages
- SPAN or ERSPAN collectors capture traffic that crosses Layer 2 and Layer 3 boundaries, analyze it, and push updates to ISE via API calls
The challenge with protocols like LLDP and DHCP is that they often have L2/L3 boundaries and are not directly visible to ISE. By deploying a collector (a VM or dedicated PC) that receives mirrored traffic via SPAN or ERSPAN, you can bridge that gap. The collector analyzes the captured packets and sends API updates to ISE to enrich endpoint profiles.
Endpoint Custom Attributes
Beyond the built-in profiling probes, ISE supports Endpoint Custom Attributes that can be defined in the GUI or via the OpenAPI. These custom attributes allow you to store third-party endpoint context — similar to the IoTAsset attributes populated by the pxGrid probe — but with greater flexibility in customization. Custom attributes maintain the same performance capabilities as built-in attributes while allowing organizations to tailor their endpoint data model to specific needs.
Custom Attributes are managed under:
Administration -> Identity Management -> Settings -> Endpoint Custom Attributes
They can also be created and validated programmatically using OpenAPI calls, which is useful when onboarding a large number of third-party data sources.
Configuration Example
Enabling the OpenAPI on ISE
Starting from ISE 3.1, the OpenAPI interface is available and can be enabled through the GUI:
Administration -> System Settings -> API Settings
Once enabled, you can use standard REST calls to manage endpoints and custom attributes. The OpenAPI supports full CRUD operations (GET, POST, PUT, DELETE) against ISE data stores.
Configuring ANC for pxGrid Remediation
ANC policies are configured within the ISE administration interface. The PSN node publishes session context — including the user's IP address, which serves as the AAA RADIUS server address — along with session metadata to the PAN and MnT nodes for logging and auditing.
When a partner ecosystem tool (SIEM, MDM, NBA, IPS, or IPAM) subscribes to pxGrid, it receives this context. If it determines remediation is needed, the ANC action is sent back to ISE. ISE then enforces the configured ANC policy — such as quarantine, port shutdown, or re-authentication — on the relevant endpoint.
SGT Context Sharing with SD-WAN
pxGrid also plays a role in sharing Security Group Tag (SGT) context with SD-WAN deployments. SGT-to-IP mappings can be learned through two methods:
| Method | Description | Priority |
|---|---|---|
| Inline SGT | Tags embedded directly in data-plane traffic | Preferred — takes priority |
| Out-of-Band (OOB) SGT | Learned via Catalyst SD-WAN Manager ISE integration | Optional — lower priority than inline |
When both VPN segmentation and SGT micro-segmentation are used together, both VPN and SGT information can be shared simultaneously. This enables layered enforcement:
- Macro Segmentation uses SD-WAN VPN overlays (e.g., VPN 1 for IT, VPN 2 for Finance, VPN 3 for Partners) to separate broad traffic domains
- Micro Segmentation uses SGTs within those VPNs to enforce granular policies between user groups
Best Practice: Use inline SGT tagging whenever possible. Inline tags are preferred over out-of-band mappings because they travel with the packet and provide more reliable, real-time enforcement.
Real-World Application
Common Deployment Scenarios
Enterprise campus with SIEM integration: A large campus running ISE for 802.1X authentication deploys pxGrid to feed session data to a SIEM platform. When the SIEM correlates events and identifies a compromised endpoint, it triggers an ANC quarantine action through pxGrid — automatically isolating the device without help-desk intervention.
SD-WAN with SGT-based segmentation: An organization with multiple branch sites uses Catalyst SD-WAN for connectivity and ISE for identity. SGT context is shared so that SSE (Secure Service Edge) policies can match on SGT as a source object. Branches establish tunnels to cloud security services, and VPN segment information is automatically shared so that user traffic (e.g., VPN 80) is steered through cloud-delivered SWG, DLP, CASB, and firewall with IPS inspection.
IoT profiling with third-party collectors: A healthcare network deploys SPAN-based collectors to capture traffic from medical devices that do not support 802.1X. The collectors analyze DHCP and LLDP data, then push endpoint attributes to ISE via API. pxGrid then distributes this enriched profile data to partner tools for asset inventory and threat assessment.
Design Considerations
- Latency requirements: ISE recommends a maximum of 300 ms round-trip latency between the PAN and PSN nodes. Co-locate PSNs with Active Directory servers for optimal authentication performance.
- Platform selection: ISE nodes can run on physical appliances (SNS-3615 through SNS-3795), traditional virtual machines, or cloud instances on AWS and Azure/OCI. Choose the platform based on endpoint scale requirements.
- Scaling pxGrid: Deploy up to 4 pxGrid Controller nodes in large environments to handle the volume of publish/subscribe traffic from multiple partner integrations.
Important: Bandwidth is most critical between PSNs and the Primary PAN (for database replication) and between PSNs and MnT nodes (for audit logging). Plan your network accordingly when distributing ISE nodes across geographies.
Summary
- pxGrid is ISE's real-time context-sharing framework using persistent websocket connections (
wss://) in a publisher/subscriber model, distinct from the request-response OpenAPI (https://). - The pxGrid Controller persona supports up to 4 nodes per deployment and enables partner ecosystem tools (SIEM, MDM, NBA, IPS, IPAM) to consume session context and trigger ANC remediation actions.
- SGT context sharing with SD-WAN allows both macro segmentation (VPN overlays) and micro segmentation (SGT-based policies) to work together, with inline SGTs taking priority over out-of-band mappings.
- Endpoint Custom Attributes and the pxGrid probe extend profiling capabilities, especially for IoT devices, by accepting data from third-party collectors via SPAN/ERSPAN and API integration.
- In distributed ISE deployments, maintain less than 300 ms latency between PAN and PSN nodes, and prioritize bandwidth for PAN replication and MnT logging paths.
In the next lesson, we will explore advanced troubleshooting techniques for ISE deployments, building on the architecture and integration concepts covered here.