Configuring NACs

Configure Cisco Identity Services Engine (ISE) pxGrid NAC. After a NAC is configured, you can begin to quarantine endpoints.

To create or edit NAC configurations, you must have the Network Quarantine Administrator role. See User role requirements.

Cisco Identity Services Engine (ISE) pxGrid NAC

To configure a Cisco ISE pxGrid NAC, you can either use self-signed or server-signed certificates. After you configure the NAC, you can quarantine specific MAC addresses with the Adaptive Network Control (ANC) policies that are configured in ISE.

You can log in to ISE with the user interface, or with SSH.

Create server and client self-signed certificates

ISE can work with self-signed certificates for both server authentication and client authentication.

  1. Get a self-signed certificate from the server. In the ISE UI, go to Administration > Certificates > System Certificates. If you need the certificate, export the public certificate from the UI.
  2. Generate a self-signed certificate for the client.
    1. See Cisco Communities: Deploying Certificates with pxGrid.
    2. In the ISE UI, go to Administration > Certificates > System Certificates and upload the certificate into the Trusted Certificates section.
  3. If you changed pxGrid certificates, restart the ISE server. See Cisco ISE Client Commands: Start/stop commands.
  4. Make sure that you have the server certificate, client certificate, and client key to create the certificate configuration in Network Quarantine.

Generate a signed certificate

Generate a pxGrid certificate to provide as the certificate authority (CA) when you configure the NAC in Network Quarantine.

  1. In the pxGrid UI, go to Administration > pxGrid Services > Certificates. Generate a single certificate (without a certificate signing request). For the Common Name (CN), use any identifying value, such as IP address. Choose the PEM download format. Enter a password for the certificate.
  2. Click Create to download a ZIP file that contains the server certificate. Extract this ZIP file to get the server certificate that you need to configure in Network Quarantine.

Configure certificates in Network Quarantine

Create the client and server certificates in Network Quarantine.

  1. From the Network Quarantine menu, go to Configuration > Certificates.
  2. Create the client certificate.
    1. Click Create Certificate.
    2. Specify a name for the certificate.
    3. For Certificate Type, select Client Certificate.
    4. Upload the client certificate and key files.
    5. If required, provide the passphrase for the private key file.
    6. Click Save.
  3. Create the server certificate.
    1. Click Create Certificate.
    2. Specify a name for the certificate.
    3. For Certificate Type, select Server Certificate / Certificate Chain.
    4. Upload the pxGrid certificate that you created in the pxGrid web admin UI. Click Save.

Configure pxGrid NAC

  1. From the Network Quarantine menu, go to Configuration > NACs > Create NAC.

  2. Specify a display name.
  3. For the NAC Type, select Cisco ISE pxGrid NAC.
  4. In the Options section, select Start on Service Startup to restart the NAC when the Network Quarantine service restarts. Select Enabled to enable and start the NAC.
  5. Specify the Cisco ISE pxGrid NAC connection details.
    1. Specify the pxGrid User Name and pxGrid URI.

      Do not modify the default pxGrid Bind Resource, pxGrid Domain, or pxGrid Capabilities values without guidance from Tanium or Cisco Support.

    2. If you are using a self-signed certificate, clear Check Server Identity.
    3. For the Client Certificate, select the client certificate that you configured.
    4. For the Server Certificate Chain, select the server certificate that you configured.





  6. (Optional) Update the IQ Timeout and Refresh Interval settings.
  7. Start the NAC. Select the NAC from the list and click Start.

To edit NAC settings, you must stop the NAC first.

What to do next

After you configure a NAC in Network Quarantine, you can begin to quarantine endpoints. See Quarantining endpoints.