Using Group-Based Policy with ISE and Forescout Kevin Regan,

Using Group-Based Policy with ISE and Forescout Kevin Regan, SDA Policy Team, IBNG March 20

Group-Based Policy flow with ISE Define groups in DNA Center or ISE for protected apps / services and endpoints that should access them Can observe traffic patterns between groups Leverage ISE infrastructure for geo-resilience and sharing of SGT data to security applications with optimized policy management functions on DNA Center ISE SXP/pxGrid Web Security FirePower ASA & 3rd party Appliance Authentication SDA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authorizati on Segmentation Policy (SGACL) RADIUS Accounting

Group-Based Policy with Forescout Using Forescout pxGrid Plugin: https://www.forescout.com/company/resources/pxgrid-plugin-configuration-guide-1 -0-0/ “Forescout’s pxGrid Plugin integrates with existing Cisco ISE (Identity Services Engine) deployments so that you can benefit from Forescout visibility and assessment for policy decisions, while continuing to use ISE as an enforcement point. The pxGrid Plugin enables Forescout platform policies to detect ISE-related properties on endpoints, and to apply Cisco ISE ANC policies, including policies that assign Security Groups to devices” 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Integration Flow: Step 1 Cisco DNA-Center NAC Session Directory shared over pxGrid ISE SXP/pxGrid Web Security Passive Monitoring RADIUS used to track endpoints FirePower ASA & 3rd party Appliance RADIUS/MAB SDA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Segmentation Policy (SGACL) RADIUS Accounting

Integration Flow: Step 2 Cisco DNA-Center NAC Endpoint Classification from NAC Passive Monitoring ISE SXP/pxGrid Web Security RADIUS Change of Authorization Applies SGT & VN FirePower ASA & 3rd party Appliance RADIUS/MAB Segmentation Policy (SGACL) SDA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential RADIUS Accounting

Integration Flow: Step 3 Cisco DNA-Center Policy and Group Management NAC SXP/pxGrid Endpoint Classifications Security SGT Assignment Triggers Policy Download Request Passive Monitoring SDA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Web FirePower ASA & 3rd party Appliance Segmentation Policy (SGACL) RADIUS Accounting

Summary Operation ISE with open mode RADIUS/MAB is used to track endpoints Forescout subscribes to ISE pxGrid session directory for endpoint data SGTs are created in ISE or DNAC for roles needed Policies are created in ISE to map ANC labels to SGT assignments Forescout uses ANC to classify endpoints with appropriate ANC label ISE assigns SGTs to endpoints based on ANC instructions Session directory is updated – for all pxGrid clients to be updated 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential