Firepower 6.0 pxGrid Integration with ISE - CA-Signed Certificate

In this post, I'm going to go through the configuration of Firepower v6.0.x for pxGrid integration with ISE using CA-signed certificates. In future posts, I'm planning on going through the configuration for both Firepower 5.4 and 6.0 using both self-signed and CA-signed certificates. The reason I plan on doing that is because they are slightly different and it's important to know this. 

In Firepower 5.4, pxGrid integration was possible in terms of remediation but it was limited and performed via python script. Firepower 6.0 removed the python script and instead shares contextual information between ISE and Firepower. The one downside is that in at least Firepower 6.0, the remediation portion has temporarily been removed. I'm sure I'll be writing a blog in the near future on how to configure this in future versions but it is important to state that for anyone who might be looking for that feature in Firepower 6.0. 

In my lab, I have a single ISE node instead of a distributed deployment. If you want to read more information on pxGrid in an ISE distributed deployment, click on here to view the guide. To start out, I'm going SSH to my FMC and issue the following commands to create a certificate signing request: 

openssl genrsa -out sourcefireAgent.key 4096
openssl req -new -key sourcefireAgent.key -out sourcefireAgent.csr

Fill out the information for the CSR and then press enter. Next you will need to use WinSCP or your client of choice to connect to the FMC and copy the .key and .csr file that you just created off the appliance.

Open the CSR in notepad.

Then open a browser and navigate to the Active Directory Certificate Services web enrollment page and click on the link for Download a CA Certificate, certificate chain or CRL.  In the next page, download the CA Certificate in Base 64 format and rename is something that's easier to remember what it's used for such as CA-Root.cer

Click back on your browser and go back to the main AD CA Web Enrollment home screen. Click on Request a certificate. On the next page, click advanced certificate request. You will be taken to a page to submit a certificate request. Copy the text from the CSR notepad into the Base-64-encoded certificate request field and choose pxGrid as the certificate template. Click Submit when done:

Note: If you don't have this template or haven't read my previous notes, click here to learn how to create the template on your Windows Server. 

On the next page, download the certificate in Base 64 encoded format and if you want, rename the certificate to a more logical name such as CA-Signed.cer to make it easier to keep track of. 

Back in the FMC, we need to add the CA Root certificate to the trusted CA store so it will trust the CA-signed certificate we just created. In the FMC, navigate to Objects>Object Management>Trusted CAs and click Add Trusted CA:

Click Browse and browse to the CA-Root.cer we just downloaded and then click Save to import the certificate.

In previous posts, I've mentioned this but in the event you are just reading this post, ISE must be configured with a couple things in order for pxGrid to work. Please make sure the following is configured in ISE:

  • Navigate to Administration>System>Certificates and please make sure there is a CA-signed certificate that is enabled for pxGrid 
  • Navigate to Administration>System>Deployment>ISE-Node and make sure that the pxGrid Persona is enabled
  • Make sure that the ISE node will automatically approve new accounts by navigating to Administration>pxGrid Services>Settings

 

 

If all those settings are configured in ISE, go back to the FMC and navigate to System>Integration>Identity Sources and click on Identity Services Engine

On this page, do the following:

  • Enter the IP address of the ISE server in the Primary Host Name/IP Address field
  • Choose the previously uploaded CA-Root certificate from the drop-down for both the pxGrid Server CA and MNT Server CA fields
  • Press the button next to the MC Server Certificate field.
    • Give it a logical name that makes sense to you such as CA-Signed 
    • Click the Browse button next to the Certificate Data field and select the CA-Signed.cer we previously created.
    • Click the Browse button next to the Key field and select the .key file we previously downloaded from the FMC with WinSCP 
  • Click Save when done

Now click the Test button to test the connectivity between ISE and the FMC. You should see the following: 

Click Save on this page. 

We can also verify this connection in ISE by navigating to Administration>pxGrid Services>Clients and you should see the new Firesight/FMC clients:

If you followed the above steps and this still did not work, check the following:

  • Check the network connectivity between the FMC and ISE (ping from the CLI, etc)
  • If you're using ISE 2.0 or below, you will need to click Enable Auto-Registration instead on the Administration>pxGrid Services>Clients page:
  • Make sure that the pxGrid Persona is enabled on the ISE client you are using
  • Make sure that there are no Pending Approvals under Administration>pxGrid Services

The next thing we will configure is the Active Directory Realm in Firepower. Navigate to System>Integration>Realms and click New Realm:

In the Add New Realm pop-up, add the following:

  • Name of the Realm
  • (Optional) Description
  • Choose a type - AD or LDAP
  • Enter the AD primary domain
  • Add the username
  • Add the password
  • Base DN
  • Group DN 
  • Pick the Group Attribute - Member 

On the next page, click the Add Directory button and add the domain server:

Click the Test button to make sure you can connect to the AD server and then click Ok

Click on the User Download tab. On this tab, check the box next to Download users and groups and then click the Download Now button to download the AD groups:

Click Save to save the realm. 

You will be brought back to the Realms page. Make sure the State slider is enabled to enable this realm:

Navigate to Policies>Access Control>Identity and click on New Policy. Name the new policy and click Ok. On the next page, click on Add Rule and create a Passive Authentication Policy as follows:

Click Add and save your identity policy. 

 

Now we will add our newly created Identity Policy to our Access Control Policy. Navigate to Policies>Access Control>Access Control and edit your policy. On the top, click on the link next to the Identity Policy and choose your new policy from the drop-down and click save.

Click on the Advanced tab and edit the Transport/Network Layer Preprocessor Settings and check the box next to Ignore the VLAN header when tracking connections and click Ok

Save you Access Control Policy.

To verify you are getting information about your hosts, navigate to Analysis>Users>User Activity and you should see information passed by ISE:

Now we are going to create a policy based on the ISE attributes. Navigate to Policies>Access Control>Access Control and edit your Policy. Click Add Rule and click on the ISE Attributes tab:

Under this tab, we can create rules based on the following:

  • Security Group Tags
  • Device Type 
  • Location IP

In this rule, I'm going  block social media based on Domain Admin SGT:

After clicking OK, saving and deploying my policy, anyone with the Domain Admin SGT should be blocked from accessing social media.