ISE as a Provider

This section goes over the contextual information shared from ISE using pxGrid. ISE publishes active user session information as well as configuration information, such as TrustSec Security groups and configured device profiles. ISE also exposes the Endpoint Protection Service (EPS) API thru pxGrid.

  • Session Directory Capability: Provides information related to active sessions in ISE.

  • Endpoint Profile Meta-Data Capability: Provides Device Type related information configured in ISE.

  • TrustSec Meta-Data Capability: Provides TrustSec Security Group information configured in ISE.

  • Endpoint Protection Service Capability: Allows EPS action to be taken and also provides EPS action status.

The query API and notifications that are exposed through these capabilities can be invoked as detailed in previous sections. Additionally, a client stub API on top of the GCL for these capabilities that hides the details of request/response model and exposes these queries as direct method calls is provided.

Session Directory Capability

ISE provides active user session information which includes user identity and the associated context including IP address, user group, location, and device type using the Session Directory capability. This information can be retrieved on demand, for example by invoking query and bulk download APIs as well as through notifications.

A typical use case for the session information in a network can be an upstream device that needs the user identity and context information for the network traffic and applying policy based on the user context, such as a user group, device type, or security group. The upstream device can register with pxGrid server as a consumer of Session Directory capability. Once the connection is established, it can invoke bulk download API to retrieve all active session context and also subscribe to notification for any further session updates.

A client stub API that is built on top of the GCL provides an easy way to invoke queries associated with the Session Directory capability.

Endpoint Protection Service (EPS) Capability

Endpoint Protection Service (EPS) capability allows EPS actions to be initiated from a pxGrid client. Examples of EPS actions include endpoint quarantine, endpoint unquarantine, or shutting down an endpoint. The EPS Actions can be performed using the IP address, mac address or session id on online or offline endpoints.

Endpoint Profile Metadata Capability

Endpoint Profile Metadata capability provides a query API to retrieve the list of endpoint profiles or profiling policies, such as iphone, ipad, and android, configured in ISE as well as notification if an endpoint profile is changed. If the profiling policies and probes are enabled on ISE, then an endpoint can be profiled to one of the configured endpoint profiles which is published as part of the session model.

TrustSec Metadata Capability

TrustSec Metadata capability provides a query API to retrieve list of all security groups configured in ISE as well as notifications of changes in security group configuration.