ISE/MSS-G Integration

ISE/MSS-G integration uses TrustSec data from Cisco ISE to create an MSS-G configuration to distribute to switches via CloudVision. The integration is implemented by an ISE provider that runs in the third-party collector. It maps TrustSec Security Groups (SGTs), Access Control Lists, and policies into MSS-Segments and policies.The integration is built on top of Cisco ISE’s External RESTful Services (ERS) and pxGrid APIs. Most of the integration is based on pxGrid and some information that is not available through pxGrid is loaded using the ERS REST APIs.

For more information, refer to:

Prerequisites

The integration requires a few configurations in Cisco ISE. Refer to Cisco ISE documentation for configuration information.

  • A pxGrid compatible license is necessary.
  • The pxGrid service must be enabled.
  • The ERS service must be enabled.
  • There must be a user with ERS access permission.
  • ISE certificates must contain Subject Alternative Name (SAN). Common Name based certificates will be rejected.
Note: Skipping CA validation is possible and may be used as a workaround if necessary.

Known Limitations

  • Both ERS and pxGrid are needed.
  • Dynamic IP prefix updates and rule changes may take up to 30 seconds to be updated in CloudVision.
  • Layer-4 policies are not supported. Policies must be either accept-all or deny-all. ACL rules are limited to only permit ip and deny ip.
  • Hostnames are not supported, i.e., static ISE configuration that is specified using hostnames will not be applied to CloudVision or to the switches and may cause issues to the integration.
  • Setting up the ISE collector will clear all existing segmentation configuration in CloudVision.
  • ISE SGT Mapping Groups are not supported.
  • The MONITOR egress cell option is not supported.
  • Only one Matrix configuration is supported.

Certificates for pxGrid integration

The ISE collector uses pxGrid as part of the integration with Cisco ISE. Client certificates are necessary to communicate with pxGrid. The certificates can be generated in the Cisco ISE web interface.

Verifying pxGrid is enabled in ISE:

  1. Login as an administrator to the Cisco ISE web interface.
  2. Navigate to Administration → Deployment.
  3. Check the box called pxGrid.
  4. Save changes.

Generating a Certificate

For information and instructions to generate certificates, refer to the official Cisco ISE documentation.

Configuring the ISE Collector

Before the ISE collector can be configured, it must be onboarded and enabled.

Enable Third Party Device Onboarding

  1. Navigate to Settings (Gear icon on top right) → General Settings.
  2. Enable Third Party Device Onboarding.
  3. Enable Onboard Cisco ISE Devices.
  4. Enable Inventory Resource API. This will show the onboarding in the User Interface.

From the Onboarding interface.

  1. Navigate to Device → Device Registration.
  2. Select the first tab Device Onboarding.
  3. Under Onboard Non-EOS and Third Party Devices, select the template Cisco ISE.

Onboarding ISE

Complete the form and select Onboard.

  • Cisco ISE URL (including protocol): https://ise-host.com
    Note: Use the fully qualified hostname. Include the protocol, such as https://.

  • Cisco ISE Cert File: Upload the file COMMON_NAME_.cer

  • Cisco ISE Key File: Upload the file client.key (decrypted)

  • Cisco ISE CA File: Upload chain.cer

    Note: If deployment fails due to errors in validating the certificate, it may be because the Cisco ISE certificates do not specify the Subject Alternative Name option, which is required.

  • pxGrid Port: Leave the default value (8910) or provide the port configured in ISE.

  • pxGrid User: arista-ise-integration

  • ERS Username: user_with_ers_permission

  • ERS Password: password_for_user_above

Upon successful onboarding, the collector client will appear in the Cisco ISE user interface.

  1. From Administration navigate to pxGrid Services and select All Clients.

  2. Find the username in the table.

  3. Check the relevant row.

  4. Click Approve at the top of the table.

  5. Allow up to one minute for the collector to notice the approval.

  6. Data will start streaming to CloudVision. This may be checked in the telemetry browser in CloudVision:

    Dataset: analytics

    Path: /yang/arista/segmentation/config/domain

  7. Devices onboarded to CloudVision with OpenConfig and MSS-G enabled will receive and apply the configurations.