How to Configure Security Group Tags (SGTs)

If you are running a Cisco Identity Service Engine (ISE) and use security group tags for classifying traffic in a Cisco Trusted network, the CloudGen Firewall can be used to control the flow of information by syncing the required priviledges with the ISE servers.

The Security Group Tag feature only supports pxGrid 2.0, which in its turn requires ISE servers with version 2.4 or higher.

1. Prepare the Configuration on the ISE Server

To ensure that SGT authentication on the CloudGen Firewall works as expected, you must ensure that the ISE server is working as expected and configured to work in conjunction with the CGF.

Here are some basic steps to prepare the ISE server for its operation:

1. On the Cisco ISE server, go to Administration > System > Deployment > Edit Node > General Settings.

2. Enable the Policy Service, and within it, enable the SXP Service.

3. On the same page, enable the pxGrid service and save the settings.

Open

4. Go to Administration > pxGrid Services > Client Management > Certificates and generate a single certificate (without a certificate signing request) using BN-CGF as Common Name (CN).

5. Note the certificate’s password.

Open

6. Download the zip file to your computer, unzip it, and go to the folder with the unzipped files.

7. Use the password to decrypt the client key:

   openssl rsa -in client_BN-CGF.key -out client_BN-CGF.decrypted.key -traditional -passin pass:

2. How to Configure Security Group Tags on the CloudGen Firewall

After finishing the previous steps on the ISE server, perform the following steps on the CloudGen Firewall.

1. Log into the firewall.

2. Go to CONFIGURATION > Config Tree > Infrastructure Services > Authentication Service > Security Group Tags.

3. Click Lock.

4. For Activate Scheme, select Yes.

5. For Cisco ISE pxGrid Nodes, click the green '+' to add an ISE pxGrid node.

   1. The Cisco ISE pxGrid Nodes window is displayed.

   2. Enter the name for your ISE pxGrid Node.

   3. Click OK… .

6. The Cisco ISE pxGrid Nodes : <your pxGrid node> configuration window is displayed.

7. For Cisco ISE pxGrid Node, enter the name together with the domain as given in the root certificate from the ISE-Server which provides the pxGrid service.

8. For Root certificate, select the file CertificateServicesEndpointSubCA-*.cer as root certificate.

9. For Username, enter the user name for authentication to the pxGrid.

10. Option #1: Authenticate to the pxGrid node via certificate:

    1. For Client key, select client_BN-CGF.decrypted.key for the private key from the list.

    2. For For Client certificate, select client_BN-CGF.cer for the client certificate.

11. Option #2: Authenticate to the pxGrid node via username/password

    1. For Password, enter the credentials for establishing the pxGrid connection.

Open

16. Click OK.

17. Click Send Changes/Activate.

18. On the firewall, make sure that the logs (Box > Control > AuthService_sgt) show the expected activity and no warnings or errors.

Open

3. Complete the Configuration on the ISE Server

1. On the ISE server, go to Administration > pxGrid Services > Client Management > Clients. Your user should be shown as "Pending". Select and approve it. Make sure that the Status column shows it as "Enabled".

2. On the firewall, make sure that the logs (Box > Control > AuthService_sgt) show the expected activity and no warnings or errors.