In this article I want to show how to integrate FMC 6.2.2 with ISE 2.2 (patch 5) using external CA. This function is needed while you want to share information between those devices so FMC be able to use those in protecting network. Cisco calls this pxGrid.
Anyway, I don’t want to discuss more and want to show the actual steps I did in my own lab. I have two ISE and two Windows Server 2008 R2 devices, one runs Certificate Authority service and other acts as AD/DNS/DHCP.The IP addresses are as follows and all use /24 mask.

Domain name: xinmix.local
AD/DNS/DHCP: 192.168.51.152
AD CA server: 10.1.204.154
ISE 1: 10.1.204.168 , ise1.xinmix.local
ISE 2: 10.1.204.166 , ise2.xinmix.local
FMC: 10.1.204.174 , firepower.xinmix.local

First of all, check time on all devices to be the same. the best way is configuring NTP on all. Then create needed AAA records on DNS server. I mentioned my own above. Devices can ping each other using IP or name.

The overall process could be described like this:

1. Importing root CA certificate on ISE1, which is my primary PAN.
2. Creating a special certificate template on Windows CA server for pxGrid.
3. Importing root CA certificate on FMC.
4. Creating a CSR on FMC & copying it along with the private key to a PC.
5. Submitting the CSR to root CA, getting a certificate for FM & importing it into FMC database.
6. Creating a CSR on ISE that is going to be used just for pxGrid.
7. Enabling pxGrid service on ISE.
8. Creating a realm on FMC & establishing pxGrid communication between ISE & FMC.

So let’s begin.

Step 1: Importing root CA certificate on ISE1, which is my primary PAN.
To import root CA certificate onto ISE, first it is needed to download it to a PC. Using a web browser, go to http://10.1.204.154/certsrv and login using domain admin account. Then click on Download a CA Certificate, Certificate Chain or CRL link and press Download CA Certificate. In this lab I named the downloaded file as “XINMIX-Root-CA-certificate.cer”.
On ISE go to Administration > Certificates > Trusted Certificates and press Import button. Click on Browse, select the downloaded file and enable only “Trust for authentication within ISE” option. The name of the root CA certificate should be shown on the page now.

Step 2: Creating a special certificate template on Windows CA server for pxGrid.
On Windows root CA server, open Certificate Authority console from Administrative Tools menu. Click on the name of the server, right click on Certificate Templates and choose Manage.
A new console with the name of “Certificate Template” appears. Right click on User template and select Duplicate Template and then Windows Server 2003 Enterprise. I’m going to paste a screen shot of important tabs here.

Request Handling tab
Request Handling tab

on General tab disable Publish Certificate in Active Directory option.

Subject Name tab
Subject Name tab

On Extension tab click on Application Policies then press Edit then Add buttons. Choose Server Authentication and press OK.

Adding Server Authentication usage to the template
Adding Server Authentication usage to the template

As you see, the Make This Extension Critical option is in disabled state. At the end, the Extensions tab should be like this.

Extensions tab
Extensions tab

Go back to the Certification Authority console and right click on Certificate Templates and choose New > Certificate Template To Use. Select our new template and press OK.

Making new template ready to publish
Making new template ready to publish

As seen, our new template name is “TCERT-TEMP”.

Step 3: Importing root CA certificate on FMC.

On FMC Administration web page go to Objects > Object Management, expand PKI node and select Trusted CAs. Then click on Add Trusted CA button on the top and select root CA certificate which has already been downloaded on our PC.

Step 4: Creating a CSR on FMC & copying it along with the private key to a PC.
In this step, SSH to FMC and run the following commands.

admin@firepower:~$ openssl genrsa -des3 -out newkey.key 4096
Generating RSA private key, 4096 bit long modulus
.........
........................
e is 65537 (0x10001)
Enter pass phrase for newkey.key: Pswrd123
Verifying - Enter pass phrase for newkey.key: Pswrd123


admin@firepower:~$ openssl req -new -key newkey.key -out newcsr.csr
Enter pass phrase for newkey.key: Pswrd123
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code []:.
State or Province Name []:.
Locality Name []:.
Organization Name []:.
Organizational Unit Name []:.
Common Name []:firepower
Email Address []:.

The first command generates a private key on FMC (newkey.key) and the second one creates a CSR based on that key (newcsr.csr). If you run “dir” command on FMC you will see those files.
On your PC copy “newcsr.csr” and “newkey.key” using a program like WinSCP or SecureFX. I used the latter one.

Copying files from FMC to local PC
Copying files from FMC to local PC

Step 5: Submitting the CSR to root CA, getting a certificate for FM & importing it into FMC database.
Open the “newcsr.csr” file using Notepad & copy all of the contents. Then open a browser and go to the root CA server web page. Click on the Request a Certificate” link. Then paste copied contents of “newcsr.csr” into the empty field and choose our newly added certificate template from the menu.

Requesting a certificate using new template
Requesting a certificate using new template

Click on Submit button. If your Windows CA Server has been configured to approve the new requests automatically, you’re good to go; Otherwise you need to go to the Certificate Authority console on Windows CA server and approve it at the first place.
Download the certificate again using the web browser in Base 64 format onto your PC. To Upload this certificate signed by our new certificate template and issued to the FMC, open FMC administration web page and go to Objects > Object Management > PKI > Internal Certs and click on Add Internal Certificate. You will see this page:

Importing certificate onto FMC
Importing certificate onto FMC

As described on the image, fill the fields and then press Save.

Step 6: Creating a CSR on ISE that is going to be used just for pxGrid.
Backing to ISE, we need the accomplish the same task on ISE too, which is generating a CSR and getting the certificate for it. The following page shows my own, but you fill based on your information.

Generating a CSR on ISE for pxGrid
Generating a CSR on ISE for pxGrid

As you see, this certificate is going to be used just for pxGrid. I’m using a separate certificate for other usages, including Admin, RADIUS, EAP Authentication and Portal.
Using a wildcard certificate can make your task easier and it is OK to use them here. The value entered in CN field could be any arbitrary value and you don’t need to create an AAA record for this. Like we did for FMC, use the web browser and download the certificate onto your PC in Base 64 format. To import that certificate onto ISE, Click on Certificate Signing request and push Bind after selecting the CSR. Select the downloaded certificate and press OK.
This page now should looks like something as this:

System certificates on ISE
System certificates on ISE

Step 7: Enabling pxGrid service on ISE.
On ISE go to Administration > System > Deployment and click on your ISE node name. Then at the buttom of the page, enable the checkbox for pxGrid if it was in disable state. Save configuration.

Step 8: Creating a realm on FMC & establishing pxGrid communication between ISE & FMC.
On FMC, go to System > Integration and click on Realms tab. Add a new realm by pressing Add Realm button at the top right corner of the page. A page appears. Fill the necessary information and click on OK. The following is my own:

Adding new realm on FMC
Adding new realm on FMC

Clicking on the Test AD Join may be unsuccessful at this point, so it’s not important. Click on the Directory tab and fill in the IP address of the AD server as shown on the following image:

Setting up AD joint point
Setting up AD joint point

After saving the configuration, you will need to enable this joint point. You can do this by clicking on the button under State.

Enabling AD joint point
Enabling AD joint point

This time clicking on the Test AD Join will probably succeed without any issue. At this point you can download AD users and groups from AD onto FMC database by clicking on realm name and going to User Download page (If test was unsuccessful, continue to read the remaining part of article).

Now at the final step, You might need to switch ISE and accept pxGrid connections established from FMC to ISE, if ISE has not been setup to accept them automatically.

Accepting pxGrid connections on ISE
Accepting pxGrid connections on ISE

Wait a while (2~3 minutes) and then test again. If it was successful the page should be like this:

Successful pxGrid communication between ISE & FMC
Successful pxGrid communication between ISE & FMC

The procedure described in this article was just one of the methods of configuring pxGrid. I used an external root CA to assign certificates to all of devices on my lab, but you can use ISE self-signed certificates and its Internal CA. Even you can mix 2 methods together, because the usages of the certificates on ISE is separate from each other. As seen in our example, I used a separate certificate for pxGrid and combination of others (Admin, Portal, RADIUS, EAP).

Here are some links if you want more information:

Document 1
Document 2
Document 3

How to use pxGrid to integrate ISE with FMC using external CA
Tagged on:                                         

Leave a Reply

Your email address will not be published. Required fields are marked *