pxGrid Operation

ISE publishes topics of information, such as Session Directory information, which contains ISE contextual information that pxGrid clients, Cisco Security Solution, or third party ecosystem partners can subscribe to and provide more meaningful information around the events.

Sample end-user session 

Session={ip=[192.168.1.31],
Audit Session Id=0A0000010000002803DBE3C1,
User Name=LAB6\jeppich,
AD User DNS Domain=lab6.com,
AD Host DNS Domain=null,
AD User NetBIOS Name=LAB6,
AD Host NETBIOS Name=null,
Calling station id=00:0C:29:79:02:A8,
Session state=STARTED,
ANCstatus=null,
Security Group=null,
Endpoint Profile=Windows7-Workstation,
NAS IP=192.168.1.2,
NAS Port=GigabitEthernet1/0/12,
RADIUSAVPairs=[ Acct-Session-Id=00000053],
Posture Status=NonCompliant,
Posture Timestamp=Sat Aug 01 15:15:20 EDT 2015,
Session Last Update Time=Sat Aug 01 15:15:22 EDT 2015}

Refer to the right hand panel for a sample end-user session from a successful 802.1X IEEE wired authentication. Note the username, ip address, mac address, and device type information which can be tied to an event.

With this type of information around the event, based on the organization's security policy and compliance requirements, the security application can provide more restrictive policies for end-users who are not complying with corporate policy and using non-recommended devices connecting to the organization's network.

At the same time, if the security application is aware of the type of device and user contextual information, this may make it easier to apply specific security policies for that type of device possibly taking remediation action. Remediation action can be achieved using pxGrid Adaptive Network Control (ANC) mitigation actions.

Topics of Information

ISE published capabilities are known as topics of information:

  • GridControllerAdminService provides pxGrid services to subscribers.

  • AdaptiveNetworkControl provides enhanced pxGrid ANC mitigation capabilities to subscribers.

  • Core provides pxGrid clients the capability to query all the registered capabilities on the ISE pxGrid node.

  • EndpointProfileMetada provides pxGrid clients with available device information from ISE.

  • EndpointProtectionService provides compatible EPS/ANC pxGrid mitigation actions from ISE 1.3/1.4.

  • TrustSecMetaData provides pxGrid clients with exposed Security Group Tag (SGT) information.

  • IdentityGroup provides pxGrid clients with Identity Group information that may not be available via 802.1X authentications.

  • SessionDirectory provides pxGrid clients with ISE published session information or available session objects.

Client Groups

pxGrid clients will authenticate, connect, and register to the ISE pxGrid node and register to client groups to subscribe or issue direct queries to these topics. The pxGrid client can also subscribe to multiple client groups.

The pxGrid client groups are:

  • Basic provides ISE pxGrid node connectivity. The pxGrid admin must manually move the registered pxGrid client into the other client groups, most likely the Session group, which provides access to the pxGrid session objects.

  • Administrator is reserved for ISE published node clients.

  • Session provides access to pxGrid session objects.

  • ANC provides access to ANC policy actions.

  • EPS is compatible with ISE 1.3/ISE 1.4 eps_quarantine/eps_unquarantine pxGrid scripts.

Client Groups