March 20 Using GroupBased Policy with ISE and Forescout GroupBased Policy flow with ISE Define groups in DNA Center or ISE for protected apps services and endpoints that should access them Can observe traffic patterns between groups ID: 1035808
Download Presentation The PPT/PDF document "Kevin Regan, SDA Policy Team, IBNG" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Kevin Regan, SDA Policy Team, IBNGMarch 20Using Group-Based Policy with ISE and Forescout
2. Group-Based Policy flow with ISE Define groups in DNA Center or ISE for protected apps / services and endpoints that should access themCan observe traffic patterns between groupsLeverage ISE infrastructure for geo-resilience and sharing of SGT data to security applications with optimized policy management functions on DNA CenterISEAuthenticationAuthorizationSegmentation Policy (SGACL)RADIUS AccountingSDASXP/pxGridFirePowerWebSecurity ApplianceASA& 3rd party
3. Group-Based Policy with ForescoutUsing Forescout pxGrid Plugin:https://www.forescout.com/company/resources/pxgrid-plugin-configuration-guide-1-0-0/“Forescout’s pxGrid Plugin integrates with existing Cisco ISE (Identity Services Engine) deployments so that you can benefit from Forescout visibility and assessment for policy decisions, while continuing to use ISE as an enforcement point. The pxGrid Plugin enables Forescout platform policies to detect ISE-related properties on endpoints, and to apply Cisco ISE ANC policies, including policies that assign Security Groups to devices”
4. ISESXP/pxGridFirePowerWebSecurity ApplianceASA& 3rd partyNACPassive MonitoringRADIUS used to track endpointsRADIUS/MABSegmentation Policy (SGACL)RADIUS AccountingSession Directory shared over pxGridCisco DNA-CenterSDAIntegration Flow: Step 1
5. Integration Flow: Step 2ISESXP/pxGridFirePowerWebSecurity ApplianceASA& 3rd partyNACPassive MonitoringRADIUS/MABSegmentation Policy (SGACL)RADIUS AccountingEndpoint Classification from NACRADIUS Change of AuthorizationApplies SGT & VNCisco DNA-CenterSDA
6. SXP/pxGridFirePowerWebSecurity ApplianceASA& 3rd partyNACEndpoint ClassificationsPassive MonitoringSGT Assignment Triggers Policy Download Request Segmentation Policy (SGACL)RADIUS AccountingPolicy and Group ManagementCisco DNA-CenterSDAIntegration Flow: Step 3
7. Summary OperationISE with open mode RADIUS/MAB is used to track endpointsForescout subscribes to ISE pxGrid session directory for endpoint dataSGTs are created in ISE or DNAC for roles neededPolicies are created in ISE to map ANC labels to SGT assignmentsForescout uses ANC to classify endpoints with appropriate ANC labelISE assigns SGTs to endpoints based on ANC instructionsSession directory is updated – for all pxGrid clients to be updated
8.