Integrating  LiveAction  NX  with  Cisco  ISE  via  pxGrid    

By  James  Gilarte,  Cisco  SE.    As  the  evolution  of  the  network  continues  to  evolve  to  a  more  software  driven  architecture  it’s  important  to  understand  who  is  on  the  network,  what  type  of  applications   are   running   over   the   network   as   well   as   how   is   the   network  operating   overall.   LiveAction’s   LiveNX   collects   and   analyses   real-­‐time   data  directly   from   any   network   device   (routers,   switches,   firewalls   etc.)   providing  insights  to  plan,  diagnose  and  optimize  the  environment  to  deliver  application  assurances.      Integrating  LiveNX  with  Cisco’s  Identity  Services  Engine  via  pxGrid  allows  LiveNX  the  ability  to  gain  the  insights  into  user  application  performance  on  the  network.  Giving   them   deep   visibility   and   control   of   application   path   optimization   and  assurance.    This  blog  post  will  highlight  the  steps  on  how  to  get  the  two  platforms  integrated  using  pxGrid.    Step  1.  Installing  the  pxGrid  SDK  Step  2.  Using  Sample  Certificates  from  SDK  for  pxGrid  Step  3.  Allow  password-­‐based  account  creation  Step  4.  Account  creation.  Step  5.  Integration  between  LiveNX  and  ISE    Below  is  an  example  of  the  topology  used.    

   Step  1:  Installing  the  pxGrid  SDK    •   Download  the  Cisco  pxGrid  SDK  from  developer.cisco.com  (link  here)  and  untar  the  file    

Cisco ISEIP: 10.10.10.100

Live NXIP: 10.10.10.111 PxGrid

 

•   The   ../samples/cert   folder   will   contain   the   sample   certificates   for   running   the   pxGrid  scripts.  

•   The  ../samples/bin  folder  will  contain  the  sample  pxGrid  “Java”  scripts.    •   To  run  these  scripts,  the  Oracle  Java  Development  Kit  is  required  (download  if  required).    

Step  2:  Using  Sample  Certificates  from  SDK  for  pxGrid  testing    •   Navigate  to  the  certs  folder  in  the  pxGrid  SDK  file  that  was  just  downloaded.  

 

   

 •   Log  into  ISE  and  upload  the  rootSample.cert  to  the  ISE  pxGrid  Node.  This  serves  as  the  

trusted  certificate.  Navigate  to  Administration>System>Certificate  Management>Trusted  Certificates>Import  

 

   

 

•   Upload  the  rootSample.cert  file.  Give  the  certificate  a  friendly  name.  In  this  instance  we  will  use  “PxGrid  –  Live  Action”.  Also  ensure  that  “Trusted  for  authentication  within  ISE”  is  enabled.  

 

     

   •   Upload  the  iseSample.crt  file  into  the  ISE  system  certificate  store    

   •   Import  the  iseSample.crt  file  along  with  iseSample1.key.  This  serves  as  the  pxGrid  client  

identity  certificate.  In  this  example  the  password  will  be  “cisco123”.  Make  sure  that  the  certificate  is  enabled  for  usage  for  pxGrid.  

 

   Step  3:  Allow  password-­‐based  account  creation    

•   In  order  to  create  users  using  pxGrid  we  must  enable  the  “Allow  password  based  account  creation”  under  pxGrid  services    

   Step  4:  Account  creation    •   On  your  local  terminal  create  an  account.  

o   Go  to  the  pxgrid  sdk  and  navigate  to  the  /samples/bin  folder    

   •   Set  JAVA_HOME  by  executing  “export  JAVA_HOME=/usr/bin”    

   •   Execute   the   follow   command   in   order   to   create   an   account  

“./samples/bin/create_account.sh  -­‐a  10.10.10.100  (ISE  SERVER  IP)  -­‐u  liveaction  (newuser)  -­‐t  /samples/cert/rootSample.jks  -­‐q  cisco123”  

•   response  of  above  script  is  as  below  -­‐-­‐-­‐-­‐-­‐-­‐-­‐  properties  -­‐-­‐-­‐-­‐-­‐-­‐-­‐    

version=2.0.0.14  hostnames=10.10.10.100  username=liveaction  password=  group=Session  description=null  keystoreFilename=/Applications/iseself/pxGrid-­‐sdk-­‐1.0.3.37/samples/certs/clientsample1.jks  keystorePassword=cisco123    

truststoreFilename=maccertroot.jks  truststorePassword=cisco123  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  HTTP  status=OK    

password:  O3yt1cKDE89OBIT1    

•   Please  note  down  the  password  mentioned  at  the  end  of  the  response  and  on  the  basis  of  above  response.  You  will  use  those  credentials  to  integrate  LiveNX  and  ISE    

In  our  example  we  will  use  the  username/password  combination  below    

User:  liveaction    

Password:  O3yt1cKDE89OBIT1    

•   Subscribe  the  session  to  begin  the  integration  by  entering  the  following  command  on  the  terminal    “./samples/bin/session_subscribe.sh  -­‐a  10.10.10.100  -­‐u  liveaction  -­‐t  /samples/cert/rootSample.jks  -­‐q  cisco123”      

•   Go  back  into  the  ISE  portal  and  navigate  to  the  pxGrid  Services.  You  will  see  the  pxGrid  client  name  we  just  created.  Select  client  and  hit  approve.    

 

Step  5.  Integration  between  LiveNX  and  ISE    

•   Log  into  the  LiveNX  web  client  and  navigate  to  Integrations.  

 

   

•   Select  Cisco  ISE  and  enter  the  hostname  of  the  ISE  server  with  the  pxGrid  client  credentials  we  created  in  step  4.  In  this  example  our  ISE  server  is  10.10.10.100  with  the  username/password  of:  User:  liveaction    Password:  O3yt1cKDE89OBIT1      

   

•   Hit  Save.  You  will  see  that  the  integration  was  successful  when  the  status  reads  “Connected”  as  shown  below  

   

•   Navigate  to  “Network  Users”  where  you  will  see  the  user  information  being  pulled  from  ISE  for  their  respective  flows.