Cisco ISE Integration Guide

Overview

Cisco Identity Services Engine (ISE) is a network access control and policy enforcement platform that provides centralized authentication, authorization, and accounting (AAA) services. This guide will walk you through integrating Cisco ISE with NxtFireGuard using a Threat Feed Aggregator.

Prerequisites

• Running Cisco ISE instance(s)
• Administrative access to Cisco ISE
• Network connectivity from Cisco ISE to your Threat Feed Aggregator

Integration Architecture

Cisco ISE logs security and authentication events via syslog. To integrate with NxtFireGuard, you'll use a Threat Feed Aggregator with Syslog to:

1. Receive syslog events from Cisco ISE
2. Parse and transform the data into NxtFireGuard's format
3. Forward threat events to NxtFireGuard's ingestion endpoint

Syslog Configuration: The aggregator listens on UDP port 1025 for incoming syslog messages from Cisco ISE.

Multi-Device Setup

If you're aggregating multiple Cisco ISE nodes in a deployment:

• Create a separate Threat Sensor for each ISE node you want to integrate
• Each ISE node's hostname must match its corresponding Threat Sensor hostname

Setup Instructions

Step 1: Create or Configure a Threat Feed Aggregator

You have two options depending on your current setup:

Option A: Create a New Threat Feed Aggregator

If you don't have an existing aggregator, navigate to the Feed Aggregators section in your NxtFireGuard dashboard and create a new one:

1. Click "Create Aggregator"
2. Give it a descriptive name (e.g., "Cisco ISE Aggregator")
3. Proceed through the setup wizard
4. On Step 2, enable "Run Syslog Container"
5. Complete the creation process

After creating your Feed Aggregator:

1. Locate your newly created aggregator
2. Click "Edit"
3. Click "View Instructions"
4. Follow the provided installation guide

Option B: Use an Existing Threat Feed Aggregator

If you already have a Threat Feed Aggregator (for example, if you're also using T-Pot or Cisco FTD), you can reuse it:

1. Navigate to the Feed Aggregators section
2. Locate your existing aggregator
3. Click "Edit"
4. Enable "Run Syslog Container" if not already enabled
5. Save the changes
6. Click "Logs" to verify the Syslog container started successfully

Note: A single Threat Feed Aggregator can run both Logstash and Syslog containers simultaneously, allowing you to aggregate data from multiple sources (e.g., T-Pot via Logstash, Cisco FTD via Syslog on port 514, and Cisco ISE via Syslog on port 1025) using the same aggregator.

Step 2: Configure Cisco ISE Syslog

Configure your Cisco ISE to forward syslog events to your Threat Feed Aggregator.

Step 3: Create Threat Sensors

For each Cisco ISE node you're integrating:

1. Navigate to Threat Sensors in NxtFireGuard
2. Click "Add Sensor"
3. Enter a name and set the hostname to match your ISE node hostname exactly
4. Complete the sensor creation

Critical: The hostname must match what appears in the syslog messages from your Cisco ISE node.

Step 4: Verify Data Flow

After completing the setup:

1. Wait 5-10 minutes for the pipeline to establish
2. Navigate to Threat Events in NxtFireGuard
3. Check for incoming events from your Cisco ISE node(s)

Additional Resources

• Cisco ISE Documentation: https://www.cisco.com/c/en/us/support/security/identity-services-engine/series.html
• Cisco ISE Syslog Configuration: https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs.html
• NxtFireGuard Documentation: https://docs.nxtfireguard.de

Support

For issues specific to:

• Cisco ISE Configuration: Refer to Cisco documentation and support
• NxtFireGuard Integration: Contact NxtFireGuard support or check the documentation