Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Table 3: Cisco ISE Nodes and Available Menu Options Available Menu OptionsCisco ISE Node •ViewandconfiguresystemtimeandNTPserver settings. •Installservercertificate,managecertificate signingrequest. Theservercertificateoperationsmust beperformeddirectlyoneach individualnode.Theprivatekeysare notstoredinthelocaldatabaseandare notcopiedfromtherelevantnode;the privatekeysarestoredinthelocalfile system. Note AllNodes Allmenusandsub-menus.PrimaryPAN •Homeandoperationsmenus. •Providesredundantaccesstomonitoringdata thatcanbeaccessedfromboththePrimaryand theActiveMonitoringnodes. ActiveMonitoringNode Optiontojoin,leave,andtestActiveDirectory connection.EachPolicyServicenodemustbe separatelyjoinedtotheActiveDirectorydomain. Youmustfirstdefinethedomaininformationand jointhePANtotheActiveDirectorydomain.Then, jointheotherPolicyServicenodestotheActive Directorydomainindividually. PolicyServiceNodes OptiontopromotetheSecondaryPANtobecomethe PrimaryPAN. Afteryouhaveregisteredthesecondary nodestothePrimaryPAN,whileloggingin totheAdminportalofanyofthesecondary nodes,youmustusethelogincredentialsof thePrimaryPAN. Note SecondaryPAN Configure a Cisco ISE Node AfteryouinstallaCiscoISEnode,allthedefaultservicesprovidedbytheAdministration,PolicyService, andMonitoringpersonasrunonit.Thisnodewillbeinastandalonestate.YoumustlogintotheAdmin portaloftheCiscoISEnodetoconfigureit.YoucannoteditthepersonasorservicesofastandaloneCisco Cisco Identity Services Engine Administrator Guide, Release 1.3 35 Configure a Cisco ISE Node
ISEnode.Youcan,however,editthepersonasandservicesoftheprimaryandsecondaryCiscoISEnodes. YoumustfirstconfigureaprimaryISEnodeandthenregistersecondaryISEnodestotheprimaryISEnode. Ifyouareloggingintothenodeforthefirsttime,youmustchangethedefaultadministratorpasswordand installavalidlicense. ItisrecommendednottochangethehostnameandthedomainnameonCiscoISEthathavebeenconfigured orinproduction.Ifitisrequired,thenreimagetheappliance,makechanges,andconfigurethedetailsduring theinitialdeployment. Before You Begin YoushouldhaveabasicunderstandingofhowdistributeddeploymentsaresetupinCiscoISE.Readthe guidelinesforsettingupadistributeddeployment. Procedure Step 1ChooseAdministration>System>Deployment. Step 2CheckthecheckboxnexttotheCiscoISEnodethatyouwanttoconfigure,andclickEdit. Step 3EnterthevaluesasrequiredandclickSave. Configure a Primary PAN Tosetupadistributeddeployment,youmustfirstconfigureaCiscoISEnodeasyourPrimaryPAN. Procedure Step 1ChooseAdministration>System>Deployment. TheRegisterbuttonwillbedisabledinitially.Toenablethisbutton,youmustconfigureaPrimaryPAN. Step 2Checkthecheckboxnexttothecurrentnode,andclickEdit. Step 3ClickMakePrimarytoconfigureyourPrimaryPAN. Step 4EnterdataontheGeneralSettingstab. Step 5ClickSavetosavethenodeconfiguration. What to Do Next 1Addsecondarynodestoyourdeployment. 2Enabletheprofilerserviceandconfiguretheprobes,ifrequired. Register a Secondary Cisco ISE Node Afteryouregisterthesecondarynode,theconfigurationofthesecondarynodeisaddedtothedatabaseofthe primarynodeandtheapplicationserveronthesecondarynodeisrestarted.Aftertherestartiscomplete,the secondarynodewillberunningthepersonasandservicesthatyouhaveenabledonit.Youcanviewallthe Cisco Identity Services Engine Administrator Guide, Release 1.3 36 Configure a Cisco ISE Node
configurationchangesthatyoumakefromtheDeploymentpageofthePrimaryPAN.However,expecta delayof5minutesforyourchangestotakeeffectandappearontheDeploymentpage. Before You Begin Ensurethattheprimarynode’strustedcertificatestorehastheappropriatecertificateauthority(CA)certificates tovalidatetheHTTPScertificateofthesecondarynodethatyouaregoingtoregister.Whenyouimportthe secondarynode'scertificateintothetrustedcertificatestore,checktheTrustforauthenticationwithinISE checkboxforthePrimaryPANtovalidatethesecondarynode'scertificate. Afteryouregisterthesecondarynodetotheprimarynode,ifyouchangetheHTTPScertificateonthesecondary node,youmustimporttheappropriateCAcertificatesintothetrustedcertificatestoreoftheprimarynode. ThecertificatesthatyouimportintothetrustedcertificatestoreofthePrimaryPANarereplicatedtothe secondarynodes. Werecommendthatyoudecideonthetypeofnode(CiscoISEorInlinePosture)atthetimeofregistration. Ifyouwanttochangethenodetypelater,youhavetoderegisterthenodefromthedeployment,restartCisco ISEonthestandalonenode,andthenreregisterit. IfyouplantodeploytwoAdministrationnodesforhighavailability,registertheSecondaryPANbeforeyou registertheothersecondarynodes.Ifyouregisterthenodesinthissequence,youdonothavetorestartthe secondaryISEnodesafteryoupromotetheSecondaryPANasyourprimary. IfyouplantodeploymultiplePolicyServicenodesrunningSessionserviceswithmutualfailoveramong thesenodes,placethePolicyServicenodesinanodegroup.Youmustcreatethenodegroupbeforeyou registerthenodes. Procedure Step 1LogintothePrimaryPAN. Step 2ChooseAdministration>System>Deployment. Step 3ChooseRegister>RegisteranCiscoISENodetoregisterasecondarynode. Step 4EnteraDNS-resolvablehostnameorIPaddressofthesecondarynode. IfyouareusingthehostnamewhileregisteringtheCiscoISEnode,thefullyqualifieddomainname(FQDN) ofthestandalonenodethatyouaregoingtoregister,forexample,abc.xyz.com,mustbeDNS-resolvablefrom thePrimaryPAN.Otherwise,noderegistrationfails.YoumusthavepreviouslydefinedtheIPaddressand theFQDNofthesecondarynodeintheDNSserver. Step 5EnteraUI-basedadministratorcredentialforthesecondarynodeintheUsernameandPasswordfields. Step 6ClickNext. CiscoISEcontactsthesecondarynode,obtainssomebasicinformationsuchasthehostname,defaultgateway, andsoon,anddisplaysit. Ifyouhavechosentoregisterasecondarynode,youcanedittheconfigurationofthesecondarynode. IfyouhavechosentoregisterasecondaryInlinePosturenode,noadditionalconfigurationneedstobe performedatthispoint. Step 7ClickSave. Afterasecondarynodeisregisteredsuccessfully,youwillreceiveanalarmonyourPrimaryPANthatconfirms asuccessfulnoderegistration.IfthesecondarynodefailstoregisterwiththePrimaryPAN,thealarmisnot generated.Whenanodeisregistered,theapplicationserveronthatnodeisrestarted.Aftersuccessful Cisco Identity Services Engine Administrator Guide, Release 1.3 37 Configure a Cisco ISE Node
registrationanddatabasesynchronization,enterthecredentialsofthePrimaryPANtologintotheuser interfaceofthesecondarynode. InadditiontotheexistingPrimarynodeinthedeployment,whenyousuccessfullyregisteranewnode, noalarmcorrespondingtothenewlyregisterednodeisdisplayed.TheConfigurationChangedalarms reflectinformationcorrespondingtothenewlyregisterednodes.Youcanusethisinformationtoascertain thesuccessfulregistrationofthenewnode. Note What to Do Next •Fortime-sensitivetaskssuchasguestuseraccessandauthorization,logging,andsoon,ensurethatthe systemtimeonyournodesissynchronized. •IfyouregisteredaSecondaryPAN,andwillbeusingtheinternalCiscoISECAservice,youmustback uptheCiscoISECAcertificatesandkeysfromthePrimaryPANandrestorethemontheSecondary PAN. Administration Node ACiscoISEnodewiththeAdministrationpersonaallowsyoutoperformalladministrativeoperationson CiscoISE.Ithandlesallsystem-relatedconfigurationsthatarerelatedtofunctionalitysuchasauthentication, authorization,auditing,andsoon.Inadistributedenvironment,youcanhaveamaximumoftwonodes runningtheadministrationpersona.Theadministrationpersonacantakeonanyoneofthefollowingroles: Standalone,Primary,orSecondary. High Availability for the Administrative Node Inahigh-availabilityconfiguration,thePrimaryPANisintheactivestate,whichmeansthatallconfiguration changesaremadethere.TheSecondaryPAN(backupPAN)isinthestandbystate,whichmeansitreceives allconfigurationupdatesfromthePrimaryPAN.ThesecondaryPANiscontinuouslysynchronizedwiththe PrimaryPAN. IfthePrimaryPANgoesdown,youmustlogintotheuserinterfaceoftheSecondaryPANandmanually promotetheSecondaryPAN.ThereisnoautomaticfailoverfortheAdministrationpersona. WhenthePrimaryPANisdown,sponsorscannotcreatenewguestaccounts.Duringthistime,guestand sponsorportalswillprovideread-onlyaccesstoalreadycreatedguestsandsponsors,respectively.Also,a sponsorwhohasneverloggedintothesponsorportalbeforethePrimaryPANgoesoffline,willnotbeable tologintothesponsorportaluntilaSecondaryPANispromotedorthePrimaryPANbecomesavailable. AtleastonenodeinyourdistributedsetupmustassumetheAdministrationpersona. ThefollowingtablelistsasetoffeaturesandspecifieswhethertheyareavailableornotwhenthePrimary PANgoesdown. Available When the Primary PAN Goes Down (Yes/No) Feature YesExistinginternaluserRADIUSauthentication YesExistingorNewADuserRADIUSauthentication Cisco Identity Services Engine Administrator Guide, Release 1.3 38 Administration Node
Available When the Primary PAN Goes Down (Yes/No) Feature YesExistingendpointwithnoprofilechange YesExistingendpointwithprofilechange YesNewendpointlearnedthroughprofiling YesExistingguest–LWA YesExistingguest–CWA No(Guestmustloginwitholdpassword)Guestchangepassword YesGuest–AUP NoGuest–MaxFailedLoginEnforcement NoNewGuest(SponsoredorSelf-registered) YesPosture NoNewDeviceRegistration YesExistingRegisteredDevices NopxGrid Manually Promote Secondary PAN To Primary IfthePrimaryPANfailsandyouhavenotconfiguredPANauto-failover,youmustmanuallypromotethe SecondaryPANtobecomethenewPrimaryPAN. Before You Begin EnsurethatyouhaveasecondCiscoISEnodeconfiguredwiththeAdministrationpersonatopromoteasyour PrimaryPAN. Procedure Step 1LogintotheuserinterfaceoftheSecondaryPAN. Step 2ChooseAdministration>System>Deployment. Step 3IntheEditNodepage,clickPromotetoPrimary. YoucanonlypromoteaSecondaryPANtobecomethePrimaryPAN.CiscoISEnodesthatassumeonlythe PolicyServiceorMonitoringpersona,orboth,cannotbepromotedtobecomethePrimaryPAN. Cisco Identity Services Engine Administrator Guide, Release 1.3 39 Administration Node
Step 4ClickSave. What to Do Next IfthenodethatwasoriginallythePrimaryPANcomesbackup,itwillbedemotedautomaticallyandbecome theSecondaryPAN.Youmustperformamanualsynchronizationonthisnode(thatwasoriginallythePrimary PAN)tobringitbackintothedeployment. IntheEditNodepageofasecondarynode,youcannotmodifythepersonasorservicesbecausetheoptions aredisabled.YouhavetologintotheAdminportaltomakechanges. Policy Service Node ACiscoISEnodewiththePolicyServicepersonaprovidesnetworkaccess,posture,guestaccess,client provisioning,andprofilingservices.Thispersonaevaluatesthepoliciesandmakesallthedecisions.Youcan havemorethanonenodeassumethispersona.Typically,therewouldbemorethanonePolicyServicenode inadistributeddeployment.AllPolicyServicenodesthatresideinthesamehigh-speedLocalAreaNetwork (LAN)orbehindaloadbalancercanbegroupedtogethertoformanodegroup.Ifoneofthenodesinanode groupfails,theothernodesdetectthefailureandresetanyURL-redirectedsessions. AtleastonenodeinyourdistributedsetupshouldassumethePolicyServicepersona. High Availability in Policy Service Nodes TodetectnodefailureandtoresetallURL-redirectedsessionsonthefailednode,twoormorePolicyService nodescanbeplacedinthesamenodegroup.Whenanodethatbelongstoanodegroupfails,anothernode inthesamenodegroupissuesaChangeofAuthorization(CoA)forallURL-redirectedsessionsonthefailed node. Allthenodeswithinthesamenodegroupshouldbeconfiguredonthenetworkaccessdevice(NAD)as RADIUSclientsandauthorizedforCoA,becauseanyoneofthemcanissueaCoArequestforthesessions thatareestablishedthroughanynodeinthenodegroup.Ifyouarenotusingaloadbalancer,thenodesina nodegroupshouldbethesameas,orasubsetof,theRADIUSserversandclientsconfiguredontheNAD. ThesenodeswouldalsobeconfiguredasRADIUSservers. WhileasingleNADcanbeconfiguredwithmanyISEnodesasRADIUSserversanddynamic-authorization clients,itisnotnecessaryforallthenodestobeinthesamenodegroup. Themembersofanodegroupshouldbeconnectedtoeachotherusinghigh-speedLANconnectionsuchas GigabitEthernet.ThenodegroupmembersneednotbeL2adjacent,butL2adjacencyishighlyrecommended toensuresufficientbandwidthandreachability.SeeCreateaPolicyServiceNodeGroup,onpage50section formoredetails. Load Balancer To Distribute Requests Evenly Among PSNs WhenyouhavemultiplePolicyServicenodesinthedeployment,youcanusealoadbalancertodistribute therequestsevenly.Theloadbalancerdistributestherequeststothefunctionalnodesbehindit.Refertothe CiscoandF5DeploymentGuide:ISELoadBalancingusingBIG-IPforinformationonandbestpractices aboutdeployingPSNsbehindaloadbalancer. Cisco Identity Services Engine Administrator Guide, Release 1.3 40 Policy Service Node
Session Failover in Policy Service Nodes WhenaPolicyServicenodethathasactiveURL-redirectedsessionsfails,theendpointsarestuckinan intermediatestate.EveniftheredirectendpointdetectsthatthePolicyServicenodethatithasbeen communicatingwithhasfailed,itcannotre-initiateauthorization. IfthePolicyServicenodesarepartofanodegroup,thenodeswithinanodegroupexchangeheartbeat messagestodetectnodefailures.Ifanodefails,oneofitspeersfromthenodegrouplearnsabouttheactive URL-redirectedsessionsonthefailednodeandissuesaCoAtodisconnectthosesessions. Asaresult,thesessionsarehandledbyanotherPolicyServicenodethatisavailableinthesamenodegroup. ThesessionfailoverdoesnotautomaticallymovethesessionsoverfromaPolicyServicenodethathasgone downtoonethatisavailable,butissuesaCoAtoachievethat. ThePolicyServicenodesinadistributeddeploymentdonotsharetheirMachineAccessRestriction(MAR) cachewitheachother.IfyouhaveenabledtheMARfeatureinCiscoISEandtheclientmachineisauthenticated byaPolicyServicenodethatfails,thenanotherPolicyServicenodeinthedeploymenthandlestheuser authentication.However,theuserauthenticationfailsbecausethesecondPolicyServicenodedoesnothave thehostauthenticationinformationinitsMARcache. Number of Nodes in a Policy Service Node Group Thenumberofnodesthatyoucanhaveinanodegroupdependsonyourdeploymentrequirements.Node groupsensurethatnodefailuresaredetectedandthatapeerissuesaCoAforsessionsthatareauthorized,but notyetpostured.Thesizeofthenodegroupdoesnothavetobeverylarge. Ifthesizeofthenodegroupincreases,thenumberofmessagesandheartbeatsthatareexchangedbetween nodesincreasessignificantly.Asaresult,trafficalsoincreases.Havingfewernodesinanodegrouphelps reducethetrafficandatthesametimeprovidessufficientredundancytodetectPolicyServicenodefailures. ThereisnohardlimitonthenumberofPolicyServicenodesthatyoucanhaveinanodegroupcluster. Monitoring Node ACiscoISEnodewiththeMonitoringpersonafunctionsasthelogcollectorandstoreslogmessagesfrom alltheadministrationandPolicyServicenodesinyournetwork.Thispersonaprovidesadvancedmonitoring andtroubleshootingtoolsthatyoucanusetoeffectivelymanageyournetworkandresources.Anodewith thispersonaaggregatesandcorrelatesthedatathatitcollectstoprovideyouwithmeaningfulinformationin theformofreports. CiscoISEallowsyoutohaveamaximumoftwonodeswiththispersonathatcantakeonprimaryorsecondary rolesforhighavailability.BoththeprimaryandsecondaryMonitoringnodescollectlogmessages.Incase theprimaryMonitoringnodegoesdown,thesecondaryMonitoringnodeautomaticallybecomestheprimary Monitoringnode. AtleastonenodeinyourdistributedsetupshouldassumetheMonitoringpersona.Werecommendthatyou nothavetheMonitoringandPolicyServicepersonasenabledonthesameCiscoISEnode.Werecommend thatthenodebededicatedsolelytomonitoringforoptimumperformance. YoucanaccesstheMonitoringmenufromthePANandthePrimaryMonitoringNodeinyourdeployment. Cisco Identity Services Engine Administrator Guide, Release 1.3 41 Monitoring Node
Automatic Failover in Monitoring Nodes ThetermautomaticfailoverisusedbecausehighavailabilityisnotsupportedonMonitoringnodesinthetrue sense.ForMonitoringnodes,operationauditdataisduplicatedbythePolicyServicenode(s),whichthen sendscopiestoboththeprimaryandsecondaryMonitoringnodes. Monitoringisservedfromtheprimary(active)Monitoringnode.Monitoringdataisonlyservedfromthe secondary(standby)Monitoringnodewhentheactivenodeisdown.Thesecondarymonitoringnodeis read-only. Note Automatic Failover Process WhenaprimaryMonitoringnodegoesdown,thesecondaryMonitoringnodetakesoverallmonitoringand troubleshootinginformation.Thesecondarynodeprovidesread-onlycapabilities. Toconverttheexistingsecondarynodetoanactiveprimarynode,theadministratormustfirstmanually promotethesecondarynodetoaprimaryrole.Iftheprimarynodecomesbackupafterthesecondarynode hasbeenpromoted,itassumesthesecondaryrole.Ifthesecondarynodewasnotpromoted,theprimary Monitoringnodewillresumeitsroleafteritcomesbackup. Whentheprimarynodecomesbackupafterafailover,obtainabackupandrestorethedatatoupdatethe primarynode. Caution Guidelines for Setting Up an Active-Standby Pair of Monitoring Nodes YoucanspecifytwoMonitoringnodesonanISEnetworkandcreateanactive-standbypair.Whenyouregister asecondaryMonitoringnode,werecommendthatyoubackuptheprimaryMonitoringnodeandthenrestore thedatatothenewsecondaryMonitoringnode.ThisensuresthatthehistoryoftheprimaryMonitoringnode isinsyncwiththenewsecondarynodeasnewchangesarereplicated.Oncetheactive-standbypairisdefined, thefollowingrulesapply: •AllchangesmustbemadeontheprimaryMonitoringnode.Thesecondarynodeisread-only. •Changesmadetotheprimarynodeareautomaticallyreplicatedonthesecondarynode. •Boththeprimaryandsecondarynodesarelistedaslogcollectorstowhichallothernodessendlogs. •TheCiscoISEdashboardisthemainentrypointformonitoringandtroubleshooting.Monitoring informationisdisplayedonthedashboardfromtheprimaryMonitoringnode.Iftheprimarynodegoes down,theinformationisservedfromthesecondarynode. •BackingupandpurgingmonitoringdataisnotpartofastandardCiscoISEnodebackupprocess.You mustconfigurerepositoriesforbackupanddatapurgingonboththeprimaryandsecondaryMonitoring nodes,andusethesamerepositoriesforeach. Monitoring Node Failover Scenarios Thefollowingscenariosapplytotheactive-standbyorsinglenodeconfigurationscorrespondingtothe monitoringnodes: Cisco Identity Services Engine Administrator Guide, Release 1.3 42 Monitoring Node
•Inanactive-standbyconfigurationofthemonitoringnodes,thePrimaryAdministrationNode(PAN) alwayspointstotheactivemonitoringnodetocollectthemonitoringdata.Aftertheactivemonitoring nodefails,thePANpointstothestandbymonitoringnode.Thefailoverfromtheactivemonitoringnode tothestandbymonitoringnodehappensafteritisdownformorethan5minutes. However,aftertheactivenodefails,thestandbynodedoesnotbecometheactivenode.Incasethe activenodecomesup,theAdministrationnodestartscollectingthemonitoringdataagainfromthe resumedactivenode. •Duringthetimethattheactivemonitoringnodeisdown,ifyouwanttopromotethestandbymonitoring nodetoactivestatus,youmustde-registertheexistingactivemonitoringnode.Whenyoude-register theexistingactivemonitoringnode,thestandbynodebecomestheactivemonitoringnodeandthePAN automaticallystartspointingtothenewlypromotedactivenode. •Inanactive-standbypair,ifyouchoosetode-registerthestandbymonitoringnodefromthedeployment orifthestandbymonitoringnodegoesdown,theexistingactivemonitoringnodestillretainstheactive nodestatus.ThePANpointstotheexistingactivenodefordatacollection. •IfthereisonlyonemonitoringnodeintheISEdeployment,thenthatnodeactsastheactivemonitoring nodethatprovidesmonitoringdatatothePAN.However,whenyouregisteranewmonitoringnode andmakeittheactivenodeinthedeployment,theexistingactivemonitoringnodeautomaticallybecomes thestandbynode.ThePANbeginstopointtothenewlyregisteredactivemonitoringnodeforcollecting monitoringdata. pxGrid Node YoucanuseCiscopxGridtosharethecontext-sensitiveinformationfromCiscoISEsessiondirectorywith othernetworksystemssuchasISEEcosystempartnersystemsandotherCiscoplatforms.ThepxGrid frameworkcanalsobeusedtoexchangepolicyandconfigurationdatabetweennodeslikesharingtagsand policyobjectsbetweenCiscoISEandthirdpartyvendors,andforotherinformationexchanges.pxGridalso allows3rdpartysystemstoinvokeadaptivenetworkcontrolactions(EPS)toquarantineusers/devicesin responsetoanetworkorsecurityevent.TheTrustSecinformationliketagdefinition,value,anddescription canbepassedfromCiscoISEviaTrustSectopictoothernetworks.TheendpointprofileswithFullyQualified Names(FQNs)canbepassedfromCiscoISEtoothernetworksthroughaendpointprofilemetatopic.Cisco pxGridalsosupportsbulkdownloadoftagsandendpointprofiles. Inahigh-availabilityconfiguration,CiscopxGridserversreplicateinformationbetweenthenodesthrough thePAN.WhenthePANgoesdown,pxGridserverstopshandlingtheclientregistrationandsubscription. YouneedtomanuallypromotethePANforthepxGridservertobecomeactive. ForXMPP(ExtensibleMessagingandPresenceProtocol)clients,pxGridnodesworkinActive/Standbyhigh availabilitymodewhichmeansthatthepxGridServiceisin"running"stateontheactivenodeandin"disabled" stateonthestandbynode. AftertheautomaticfailovertothesecondarypxGridnodeisinitiated,iftheoriginalprimarypxGridnodeis broughtbackintothenetwork,theoriginalprimarypxGridnodewillcontinuetohavethesecondaryroleand willnotbepromotedbacktotheprimaryroleunlessthecurrentprimarynodegoesdown. Attimes,theoriginalprimarypxGridnodemightbeautomaticallypromotedbacktotheprimaryrole.Note Inahighavailabilitydeployment,whentheprimarypxGridnodegoesdown,itmighttakearound3to5 minutestoswitchovertothesecondarypxGridnode.Itisrecommendedthattheclientwaitsfortheswitchover tocomplete,beforeclearingthecachedataincaseofprimarypxGridnodefailure. Cisco Identity Services Engine Administrator Guide, Release 1.3 43 pxGrid Node
ThefollowinglogsareavailableforpxGridnode: •pxgrid.log—Statechangenotifications. •pxgrid-cm.log—Updatesonpublisher/subscriberanddataexchangeactivitybetweenclientandserver. •pxgrid-controller.log—Displaysthedetailsofclientcapabilities,groups,andclientauthorization. •pxgrid-jabberd.log—Alllogsrelatedtosystemstateandauthentication. •pxgrid-pubsub.log—Informationrelatedtopublisherandsubscriberevents. pxGrid Client and Capability Management ClientsconnectedtoCiscoISEneedtoregistertousethepxGridservices.pxGridclientsshouldadoptthe pxGridClientLibraryavailablefromCiscothroughthepxGridSDKtobecometheclients.CiscopxGrid clientsneedanapprovedaccounttoparticipateinpxGridservices.CiscoISEsupportsbothautoandmanual approvals.AclientcanlogintopxGridusingauniquenameandcertificate-basedmutualauthentication. SimilartotheAAAsettingonaswitch,clientscanconnecttoeitheraconfiguredpxGridserverhost-name oranIPAddress. CapabilitiesareinformationtopicsorchannelscreatedonpxGridforclientstopublishandsubscribe.InCisco ISE,onlycapabilitiessuchasIdentity,adaptivenetworkcontrol,andSGAaresupported.Youcanenableor disablecapabilities.Ifdisabled,theclientisunsubscribed.Capabilityinformationisavailablefromthepublisher throughpublish,directedquery,orbulkdownloadquery. Related Topics GeneratepxGridCertificate Enable pxGrid Clients Before You Begin •EnablethepxGridpersonaonatleastonenodetoviewtherequestsfromtheCiscopxGridclients. •EnableIdentityMapping.Formoreinformation,seeConfigureIdentityMapping,onpage46. Procedure Step 1ChooseAdministration>pxGridServices. Step 2CheckthecheckboxnexttotheclientandclickApprove. Step 3Toviewthecapabilities,clickViewbyCapabilitiesatthetop-right. Step 4ClickRefreshtoviewthelateststatus. Cisco pxGrid Live Logs TheLiveLogspagedisplaysallthepxGridmanagementevents.Eventinfoincludestheclientandcapability namesalongwiththeeventtypeandtimestamp. Cisco Identity Services Engine Administrator Guide, Release 1.3 44 pxGrid Node