Skip to content
  • There are no suggestions because the search field is empty.

Integrate Identity Services Engine with Security Cloud Control

Integrate Cisco ISE with Security Cloud Control for identity and device posture sharing and adaptive policy enforcement.

 

 

Prerequisites

  • Administrative access to both Cisco ISE and Security Cloud Control consoles.
  • Appropriate licensing and feature entitlements enabled on both platforms.
  • SAML metadata or IdP details for single sign‑on (if SSO is required).
  • Network connectivity and firewall rules permitting pxGrid/cloud connector traffic between ISE and Security Cloud.
  • Test accounts and devices for validation before broad rollout.

Step‑by‑step integration procedure

1. Prepare ISE

  • Confirm ISE version supports cloud/pxGrid connectors and required features.
  • Enable and configure pxGrid or the cloud connector component used for context sharing.
  • Ensure certificates used by ISE are valid and trusted by Security Cloud (import CA or device certs as needed).

2. Configure SSO and metadata exchange (if applicable)

  • Export SAML metadata from your identity provider and import it into Security Cloud.
  • Export Security Cloud SAML metadata and import it into your IdP or ISE SSO configuration as required.
  • Validate SSO by logging into Security Cloud with a test IdP account.

3. Register ISE with Security Cloud

  • From Security Cloud, initiate the registration or onboarding flow for an identity source.
  • Provide the required ISE connection details (hostname, service endpoints, certificates, credentials).
  • Approve or accept the registration on the ISE side if a mutual registration step is required.

4. Map attributes and define sharing scope

  • Identify which ISE attributes will be shared (user identity, device posture, group membership, MAC/IP, posture results).
  • Configure attribute filters and mappings so Security Cloud receives only the necessary context.
  • Define which user/device groups and enforcement points will consume ISE context.

5. Create and apply adaptive policies in Security Cloud

  • Build policies that reference ISE attributes (for example: block access for non‑compliant posture; apply limited network access for guest devices).
  • Scope policies to a small pilot group for initial testing.
  • Deploy policies and monitor enforcement behavior.

Verification and validation

  • Registration check: Confirm ISE appears as a registered identity source in Security Cloud.
  • Attribute visibility: Authenticate a test user and verify user and device attributes are visible in Security Cloud logs or dashboards.
  • Policy enforcement test: Simulate access scenarios (compliant vs non‑compliant device) and confirm Security Cloud applies the expected policy actions.
  • Logging: Review audit logs on both ISE and Security Cloud for successful attribute exchange and enforcement events.

Troubleshooting (common issues and fixes)

  • SSO or SAML failures: Re‑export and re‑import metadata; verify clocks/timezones and certificate validity.
  • Connectivity problems: Check firewall rules, DNS resolution, and that pxGrid/cloud connector ports are open.
  • Missing attributes: Revisit attribute mapping and filters in ISE; ensure the attributes are enabled for sharing.
  • Policy not applied: Confirm policy scope and precedence in Security Cloud; verify that the test device/user matches the policy conditions.
  • Licensing or feature gaps: Verify required features are enabled and licenses are current on both platforms.

Best practices and recommendations

  • Pilot first: Test with a small set of users/devices before wide deployment.
  • Least privilege: Share only the attributes required for enforcement.
  • Change control: Track and document policy changes and connector configuration updates.
  • Monitoring: Enable detailed logging during rollout and periodically review logs for anomalies.
  • Version compatibility: Confirm ISE and Security Cloud versions support the integration features you plan to use.