Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1879
Views
1
Helpful
0
Comments

Cisco pxGrid Cloud Demo App using Cisco dCloud

Jason Kunst
Cisco Employee
Cisco Employee

on ‎05-10-2022 12:42 PM - edited on ‎01-10-2024 09:53 AM by Cisco Employee

 

Contents

Overview

The Cisco pxGrid Cloud Demo App is a simple application created to demonstrate pxGrid Cloud connecting Cisco ISE.  Cisco Employee, Partners and Integration Developing Partners may use the app to understand the basic pxGrid Cloud connection process and requirements.

There is also an additional Meraki Dashboard section to synchronize security group tags (SGTs) in ISE to adaptive policies. This requires access to a Meraki account. This would be for Cisco Field Employees & Partners to play with. Developing partners SHOULD bypass the Meraki section noted in the exercise. The Meraki dashboard (TBD) is utilizing a different method of connectivity and this is a POC used to showcase this app capabilities. In the future we may have a more generic app better utilized to learning experience.

image.png

 

Access to the Cisco Cloud Demo App

The application service hosted on dCloud will not be shared to use outside of a dCloud environment. This allows us to properly support this effort and to minimize overhead. It is also not used for developing against pxGrid Cloud, there are resources available. See pxGrid Cloud Community Page for more information on developing your own app service. 

The Cisco Cloud Demo App is only available in a Cisco dCloud lab. Cisco Field and Partners should be able to schedule this demo themselves. For links to the demo content please visit Selling ISE Demos. Use one of the Cisco ISE Enterprise and Security Ecosystems Integrations demos.

For now if you would like to build your own application, depending on the audience, please contact us below.

For a tutorial on scheduling Cisco dCloud labs, see our video How to Schedule an ISE Demo in Cisco dCloud - For Cisco Sellers :

 

Cisco Cloud Demo App Instructions

 Once you have gained access to the Cisco ISE pxGrid Demo Cloud lab in dCloud, you should see it the respective data center under My Hub.

For connection to ISE, it is recommended to access the WebUI directly via direct IP access using your own browser.

 

Enable direct web access to ISE

  1. Launch WebRDP to WKST1-JUMP
  2. Using any browser (and respective bookmark) to launch ISE UI. (creds are cached)
  3. On ISE go to 𑁔 > Administration > System > Admin Access > Settings > Access > IP Access
  4. Choose Allow all IP addresses to connect (or you may enter your range if you know it)
  5. Click Save

Note: Now you may access the ISE Web UI directly using the Public IP under dCloud Details. IP/creds hidden. See dCloud UI.

dcloud-details.png

 

Enable pxGrid Cloud in ISE 3.1 Patch 4+

  1. Using the browser shortcut in the demo (or direct access to ISE), Login to ISE using the cached credentials (or info in the dCloud network diagram)
  2. Go to 𑁔 > Administration > System > Deployment

    1. Select the ISE node(s) that you want to run the Cisco pxGrid and pxGrid Cloud services on.

      NOTE: this is already enabled but gives you info on how to setup. 
      You may enable pxGrid and pxGrid Cloud on up to 4 ISE nodes

    2. Scroll down and enable
      pxGrid + Enable pxGrid Cloud
      Note: pxGrid Cloud requires Advantage licenses.

    3. Select Save (if needed)

  3. Go to 𑁔 > Administration > System > Settings > API Settings to enable the ISE REST APIs so they are available via Cisco pxGrid Cloud - NOTE: this  is already enabled in your environment 
    1. Select the API Service Settings tab
    2. Enable ERS (Read/Write)
    3. Enable Open API (Read/Write)
    4. Select Save
  4. Go to 𑁔 > Administration > pxGrid Services > Client Management
    1. Select pxGrid Cloud Connection
    2. Select Setup Connection which prompts you for an Authentication Token from the Cisco pxGrid Cloud
    3. You now need to add your ISE node in the Cisco pxGrid Cloud service.

 

Setup pxGrid Cloud Services @ DNA.cisco.com

  1. In a new browser window or tab, login to https://dna.cisco.com

    If you cannot login, send any problems you encounter to the dna.cisco.com team: Venkata Rallabhandi (rrallabh@cisco.com) and Ajit Nair (ajitna@cisco.com)

  2. After logging in, find the pxGrid Cloud offer and select Subscribe
    1. Choose the pxGrid Cloud region you want to use (there is only US WEST currently)
    2. Check the box to agree to the Cisco End User License Agreement and acknowledge the Cisco Privacy Statment
    3. Select Subscribe Offer
      You will now see the summary of your subscribed offers in the Cisco DNA Cloud which should include pxGrid Cloud
  3. Select Launch on the pxGrid Cloud offer tile which will launch you into https://pxgridcloud.cisco.com
  4. You may now select Register Cisco ISE to add your ISE node(s)
    1. Enter your ISE Node Name and Description
    2. Select Register
  5. Copy the generated OTP to enroll your ISE node
  6. Go back to your ISE GUI and enter the One-Time Password from dna.cisco.com and click Connect
  7. You should see the status in ISE change to Status: Connected: ise-node-name
  8. Your ISE now registered with your pxGrid Cloud tenant for use with pxGrid Cloud apps.

 

Enable pxGrid Cloud Policy on ISE

  1. In ISE, select the Client Management > pxGrid Cloud Policy menu
  2. Under pxGrid Services, select all of the pxGrid topics that you would like to make available to all pxGrid Cloud services. Select all of the topics if you are not sure. Note: For this demo you don't need to choose any of them as it uses ERS APIs
  3. Enable the ERS APIs and choose Read Only or Read/Write depending on what you want to allow
  4. Enable the Open APIs and choose Read Only or Read/Write depending on what you want to allow
  5. Select Save

Your ISE deployment is now registered with your pxGrid Cloud tenant.

 

Connect the Cisco Cloud Demo App with your pxGrid Cloud Tenant

Setup the pxGrid Cloud Demo App Connector

  1. In the Cisco pxGrid Cloud site, dismiss the OTP dialog and you should see a tile with your registered ISE node
  2. Select 𑁔 > App Store to view the available applications to connect to your ISE node with pxGrid Cloud
  3. In the pxGrid Cloud Demo Application tile, select Connect to App
  4. Copy the OTP token for authentication of your Cisco Cloud Demo App instance (you can search for how to copy/paste into Guacamole to make this easier or open the pxgrid cloud UI inside of your WebRDP)

 

Connect the pxGrid Cloud Demo App to pxGrid cloud

  1. Navigate to WebRDP WKST1 - Open your instance of the Cisco Cloud Demo App 
    The Cisco Cloud Demo App is hosted on a linux server in the dCloud demo. To view it, simply open a web browser (use a browser shortcut) to http://198.18.134.28:8080

    ⚠ You must use http and not https !

  2. Select the Configuration button, enter the OTP token, and select Connect Tenant

The pxGrid Cloud Demo App instance is now connected to your pxGrid Cloud tenant.

 

Activate the pxGrid Cloud Demo App Connector with your ISE deployment

Both your ISE deployment and Cisco Cloud Demo App instance are connected to your pxGrid Cloud tenant so the last step is to connect them.

  1. Go back to pxgridcloud.cisco.com browser window and close the OTP Generated window.
    Now you should see a page with your product activations, 
  2. select your ISE deployment and click Activate for Products
    1. Confirm the app name, region and product(s) then select Next
    2. Choose Product Type: Cisco ISE
    3. Choose Product: your registered Cisco ISE deployment name
    4. Select Next (if you don't see this resize page)
    5. Scopes are not needed since we are using API and not pxGrid topics, click Next
    6. Review the Summary and select Activate App for Products
    7. Select the Check App Details button
    8. In the Product Activation table, you should see that your ISE node is Connected and Activated
      Validate pxGrid Cloud Demo App is connected and getting data

Validate the operation of the demo app

  1. Via WKST1-RDP > Go to the Cisco Cloud Demo App and reload the page and you should see your ISE node listed in the ISE Enrollment table
  2. Select the radio button next to your ISE node then select Connect. Accept the the warning to establish the connection for the app and tenant.
  3. You should get a Success message that ISE is connected to the Demo App!
  4. In the Cisco Cloud Demo App, select 𑁔 > Overview (or Overview in the header) and you should see the ISE Status update with the counts for your SGTs, ACLs and Egress Policy!

    Note: If you don't see the built in SGT (16) and ACL (4) then there is an issue with your connection. Please check your settings, connections, ERS Settings etc.

 

thomas_0-1658172629969.png
You were able to demonstrate the app retrieving information from ISE via REST APIs using pxGrid Cloud.

That's the end of the demo Cisco Cloud Demo App using Cisco pxGrid Cloud!

Resources

pxGrid Cloud

  • Cisco pxGrid Cloud requires ISE 3.1 Patch 4 or later

  • pxGrid Cloud Devnet Site - use this to get started developing your integration with pxGrid Cloud (this is for developing partners)

pxGrid On-Premise

Devnet

GitHub Repositories

Cisco Partnerships & Integrations

Demos

 

Support

Cisco Employees should send all questions to the ISE TME Thomas Howard.

 

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents