Use this guide to integrate Cisco Platform Exchange Grid (pxGrid) with SecureAuth IdP to create a begin site that leverages the user ID from the Cisco ISE authentication, eliminating the need to enter the user ID during the SecureAuth IdP workflow.
Cisco pxGrid allows multiple systems and all of their context to connect to a single interface. The pxGrid framework is comprised of the pxGrid controller and pxGrid connection agent. The pxGrid controller uses the Cisco Identity Services Engine (ISE) to enable connectivity between platforms and conduct contextual information sharing among them. The pxGrid connection agent – integrated in the partner platform – lets the partner platform communicate with the pxGrid controller to determine which information is shared with which partner platform.
The pxGrid integration with SecureAuth IdP requires a Java-based Windows service running in the Windows Server on the SecureAuth IdP appliance; a configured IdP realm; at least one configured pxGrid controller; and pertinent certificates that allow communications between SecureAuth IdP and Cisco ISE. The setup requires the pxGrid controller server(s) to be actively managing the organization's wireless access, as well as information about users on the wireless network, such as their user IDs and associated IP addresses.
In this setup, when an end-user is authenticated on a wireless network connected to an ISE server, the SecureAuth IdP pre-authentication page pulls the current IP address and sends it in a web service request to the Windows Service (pxGrid client). Then client then reaches out to the ISE server to retrieve the username that is mapped to that IP address, which is then sent to the pre-authentication page.
If the username is found, then the pre-authentication page generates a preauth cookie and sends the user to SecureAuth.aspx, at which SecureAuth.aspx extracts the username from the preauth cookie and continues with the configured workflow, skipping the initial username entry requirement. If the username is not found, then the pre-authentication page redirects users to the URL specified in the invalid persistent token redirect field (optional configuration step below).
1. Have Cisco pxGrid installed in the wireless environment
2. Import one trusted Root Certificate for each pxGrid controller server used to the Trusted Root Certification Authorities store folder, which is used by SecureAuth IdP to trust the ISE controller server(s)
3. Have the pxGrid client private key certificate, which can either be the SecureAuth IdP appliance certificate (out-of-the-box) or a third-party certificate
If using a third-party certificate, then import this certificate to the client keystore folder on the SecureAuth IdP appliance
4. Import the matching public key certificate from SecureAuth IdP or the third-party to each ISE controller server to be used – this certificate is used by the ISE controller server to trust the SecureAuth IdP appliance
Cisco and SecureAuth each recommend using the default self-signed certificates that come with the product/appliance. SecureAuth IdP integrations with Cisco ISE only support certificates supplied by Cisco.
5. Install the Java service in the Windows Services console on the SecureAuth IdP appliance to enable SecureAuth IdP to run as a Windows service on the Windows Server (Download)
The minimum supported version of Java Runtime Environment (JRE TM) is Java 8 (1.8.0_XX)
To Install the SecureAuth pxGrid Server as a Windows Service:
Locate the same instructions in the README file in the pxGridService-0.1.0.zip folder
1. Install Java: either 64 bit JRE (preferred) or 32 bit JRE
2. Unzip: pxGridService-0.1.0.zip, please note that the default "Log on as" windows service user: "Local System account" need to have write access to the unzipped folder
3. Install the Windows service: run pxGridService-0.1.0/bin/installService.bat
4. Make sure that Windows Firewall configuration allows Java process started by "Local System account" to connect to the Cisco ISE server nodes
5. Start the installed Windows service: "secureauthPxGridService"
Check log files in pxGridService-0.1.0/bin if there are any issues
6. The log file is located in: pxGridService-0.1.0/bin/logs
6. Create a New Realm in the SecureAuth IdP Web Admin for the Cisco pxGrid integration
7. Configure the following tabs in the Web Admin before configuring Cisco ISE:
Overview– the description of the realm and SMTP connections must be defined
Data– an enterprise directory must be integrated with SecureAuth IdP
Workflow– the way in which users access the target must be defined
Multi-Factor Methods– the 2-Factor Authentication methods that are used to access the target (if any) must be defined