Day 84 – Cisco ISE Mastery Training: Configuring pxGrid Between ISE & FMC

[Day 84] Cisco ISE Mastery Training: Configuring pxGrid Between ISE & FMC


Table of Contents

Introduction

Cisco Identity Services Engine (ISE) and Firepower Management Center (FMC) form a powerful threat-centric NAC ecosystem when integrated via pxGrid.

  • ISE provides contextual identity information: user, device type, compliance posture, SGT tags, authentication status.
  • FMC consumes this data via pxGrid session subscription, enabling Dynamic Access Control and Threat Response in real-time.

But here’s the reality:

  • pxGrid integrations are certificate-driven,
  • rely heavily on mutual trust between ISE and FMC, and
  • require correct client registration and policy mapping.

In production, engineers often struggle with cert trust failures, pxGrid client not connecting, SGT not being seen in FMC, or session updates not flowing.
That’s where this Troubleshooting Workbook becomes your go-to lab bible.


Problem Statement

Firewalls that only know IP addresses can’t enforce who/what policies or react quickly to compromised endpoints. Manual blocks are slow, identities roam, and containment is inconsistent. We need secure, low-latency context sharing from ISE to FMC so FTD can enforce user/SGT/posture-aware rules and react to ANC (quarantine) immediately.


Solution Overview

ISE pxGrid 2.0 exposes publish/subscribe topics over mutual-TLS (TCP/8910). ISE publishes identity sessions, SGTs, posture & ANC events; FMC subscribes and pushes appropriate Access Control decisions to FTD. You’ll:

  • Harden certificates & trust (ISE CA ↔ FMC pxGrid client cert).
  • Approve FMC as a pxGrid client and authorize topics.
  • Enable Session Directory, TrustSec (SGT), and ANC publishing.
  • Build FMC Identity/SGT rules.
  • Validate end-to-end: ISE → pxGrid → FMC → FTD enforcement (including ANC Quarantine).

Sample Lab Topology

Platform: VMware ESXi / Workstation or EVE-NG.

Nodes

  • ISE 3.2/3.3 (PAN+PSN+MnT; pxGrid persona enabled on a PSN)
  • FMC 7.x (managing FTD 7.x)
  • Catalyst 9300 (17.x) as access switch (802.1X/MAB, CoA, dACL/SGT)
  • WLC 9800-CL (for wireless validation; optional)
  • AD DS (users/groups)
  • Endpoints: Windows 10/11 laptop, Linux client

Text Diagram

Pre-Req Checklist

  • DNS A/PTR for ISE & FMC; use FQDN everywhere
  • NTP aligned (ISE, FMC, FTD, Cat, WLC, AD)
  • ISE Internal CA (or Enterprise PKI) available
  • RADIUS AuthZ + CoA proven on Cat/WLC (before pxGrid)
  • ISE policy sets working for wired (and wireless if used)

Step-by-Step GUI Configuration Guide (with CLI & validation)

Version targets: ISE 3.2/3.3, FMC 7.x, FTD 7.x.
Replace names/FQDNs/IPs to suit your lab.

Phase 0 — Fast Pre-Checks (must pass)

  • ISE CLI
ise/admin# ntp server <ip/fqdn>  (configure if needed)
ise/admin# show ntp
ise/admin# show application status ise | include pxGrid
  • FMC (Web UI) → System > Health > Monitor: FMC & FTD healthy
  • Network reachability: TCP 8910 open from FMC ↔ ISE, ping both ways

Phase 1 — ISE: Enable pxGrid persona & certificate

  1. Enable pxGrid persona
    • ISE GUI: Administration > System > Deployment > select PSN (or PAN+PSN) → Edit
    • Check pxGrid (and pxGrid Controller if this node is controller) → Save
    • [Screenshot: ISE Deployment – Enable pxGrid Persona]
  1. Bind a certificate with pxGrid role
    • Administration > System > Certificates > System Certificates
    • Import/Generate a certificate with pxGrid usage; chain to ISE CA (or enterprise CA)
    • [Screenshot: ISE System Certificate – pxGrid Usage Checked]
  1. Export ISE CA chain (Base64) for FMC trust
    • Administration > System > Certificates > Certificate Authority → Export CA Chain
    • [Screenshot: ISE Internal CA – Export Chain]

ISE Validation (CLI)

ise/admin# show application status ise | include pxGrid
pxGrid Infrastructure : running
pxGrid Publisher      : running
ise/admin# tail -n 100 /var/log/ise/pxgrid/pxgrid.log

Expect pxGrid services running, no TLS errors.


Phase 2 — FMC: Prepare trust & pxGrid client identity

You can either:
A) Issue a pxGrid client cert from ISE Internal CA for fmc.lab.local and import into FMC (PFX), or
B) Use enterprise PKI; ensure ISE trusts FMC CA and FMC trusts ISE CA.

  1. Import ISE CA chain into FMC
    • FMC GUI: Objects > Object Management > PKI > Trusted CAsAdd → paste Base64 ISE CA chain
    • [Screenshot: FMC Trusted CA – ISE Chain Imported]
  2. Import FMC pxGrid client cert (PFX w/ private key)
    • FMC GUI: Objects > Object Management > PKI > Identity CertificatesAdd → Upload PFX, set password
    • [Screenshot: FMC Identity Certificate – pxGrid Client]

Phase 3 — FMC: Add ISE as Identity Source (pxGrid)

  1. System > Integration > Identity Sources > Identity Services EngineAdd
    • ISE FQDN (must match ISE cert SAN)
    • Select pxGrid connection, pick the Identity Certificate you just imported
    • Test ConnectionSave
    • [Screenshot: FMC ISE Integration Wizard – pxGrid Test OK]
  2. ISE: Approve FMC client
    • ISE GUI: Administration > pxGrid Services > Clients
    • Locate FMC entry → Approve → ensure Connected = Yes
    • [Screenshot: ISE pxGrid Clients – FMC Approved & Connected]

ISE CLI Quick Check

ise/admin# show pxGrid clients | include <FMC_FQDN>
ise/admin# tail -n 50 /var/log/ise/pxgrid/pxgrid.log | egrep -i "client|approved|session"

Phase 4 — ISE: Enable the right pxGrid topics

  1. Administration > pxGrid Services > Settings
    • Enable Session Directory (user/IP/MAC/SSID/NAD)
    • Enable TrustSec (SGT/SGACL publishing)
    • Enable ANC (quarantine/unquarantine events)
    • [Screenshot: ISE pxGrid Settings – Topics Enabled]
  2. TrustSec Components (optional but recommended)
    • Work Centers > TrustSec > Components → ensure SGTs exist (e.g., Quarantine, Finance, HR)
    • [Screenshot: ISE TrustSec – SGT List]

ISE CLI

ise/admin# tail -f /var/log/ise/pxgrid/pxgrid.log | egrep -i "session|trustsec|anc|publish"

Expect topic registrations & publish events when sessions change.


Phase 5 — ISE: Prep Authorization for ANC Quarantine (so you can prove enforcement)

  1. Policy → Policy Elements → Results → Authorization
    • Create QUAR-dACL (Downloadable ACL) or QUAR-VLAN profile
    • Or QUAR-SGT (assign an SGT named Quarantine)
    • [Screenshot: ISE AuthZ Profiles – QUAR-dACL / QUAR-SGT]
  1. Policy → Policy Sets → (Your set) → Authorization
    • Add top-priority rule: If Network Access:UseCase equals ANC-Quarantine → Result QUAR-xxx
    • [Screenshot: ISE Authorization – ANC Quarantine Rule]

Phase 6 — FMC: Build identity/SGT-aware Access Control

  1. Policies > Access Control > (Your ACP) > Rules > Add
    • Name: Block_Quarantine
    • Users/Groups: (optional)
    • Security Group Tag (SGT): Quarantine (from ISE)
    • Action: Block (or Trust/Allow for other test rules)
    • Logging: At Beginning & At End
    • [Screenshot: FMC ACP Rule – Match SGT Quarantine]
  2. Commit/Deploy to FTD.
    • [Screenshot: FMC Deploy – Success]

FTD CLI (post-deploy)

> show access-control-config
> show users

Expect SGT mapping presence and identity table populated when sessions arrive.


Phase 7 — End-to-End Validation (Identity & SGT flow)

A) Bring a test endpoint online (wired on Cat9300)

  • Authenticate via 802.1X/MAB (already working from pre-req).
  • ISE GUI:Operations > RADIUS > Live Sessions / Live Logs
    • Verify User, Endpoint, NAD, Result
    • [Screenshot: ISE Live Sessions – Test Endpoint]

B) Confirm pxGrid session published

  • ISE CLI
ise/admin# tail -f /var/log/ise/pxgrid/pxgrid.log | egrep -i "<endpoint_ip>|published|session"

C) FMC consumption

  • FMC GUI:Analysis > Users > Active Sessions
    • See user/IP/MAC/hostname/SGT (if assigned)
    • [Screenshot: FMC Analysis – Active Users populated]

D) FTD enforcement

  • Generate traffic from endpoint to a blocked destination.
  • FMC GUI:Analysis > Connections → confirm matches Block_Quarantine (or user rule).
    • [Screenshot: FMC Connection Events – Rule Hit]
  • FTD CLI
> show conn address <endpoint_ip>
> show users

Expect connections dropped if SGT=Quarantine; user identity visible.


Phase 8 — ANC Quarantine Drill (prove rapid containment)

  1. ISE GUI:Operations > Adaptive Network Control > Assign
    • Pick the test endpointApply ANC: Quarantine (the policy you created)
    • [Screenshot: ISE ANC – Apply Quarantine]
  1. ISE GUI:RADIUS Live Logs
    • Confirm CoA sent; Authorization Result = QUAR-xxx
    • [Screenshot: ISE Live Logs – CoA Success]
  2. Switch/WLC CLI (wired example)
Cat9300# show authentication sessions interface Gi1/0/10 details
Cat9300# show ip access-lists | include QUAR   (if dACL mirrored to IP ACL)
Cat9300# show cts role-based sessions interface Gi1/0/10   (if SGT used)

Expect VLAN/dACL/SGT changed to quarantine.

  1. FMC/FTD Validation
  • FMC: Analysis > Connections → traffic blocked by Block_Quarantine
  • FTD CLI
> show users
> show access-control-config
> show conn address <endpoint_ip>

Expect blocks consistent with quarantine state.

  1. Unquarantine (rollback)
  • ISE GUI: ANC → Remove / Unquarantine
  • Confirm CoA, normal authorization policy restored; traffic allowed again.

Phase 9 — Troubleshooting Quick-Hits (only if something fails)

  • TLS / Cert errors → Recheck FQDN/SAN, trust chains on both sides
    • ISE CLI: tail -n 200 /var/log/ise/pxgrid/pxgrid.log | egrep -i "tls|handshake|cert|unknown ca|expired"
  • No identities in FMC → Ensure Session Directory is enabled; user actually authenticated to ISE
  • No SGTs in FMC → Enable TrustSec topic; ensure SGT assigned in ISE AuthZ; deploy on FMC
  • ANC not reflected → Ensure ANC topic enabled and FMC subscribed; verify ISE AuthZ has ANC-Quarantine rule
  • Slow updates → Check NTP, pxGrid push interval, and overall ISE node load

Troubleshooting:

Common pxGrid Integration Problems + Fixes

Issue 1: FMC pxGrid Registration Fails

  • Symptom: FMC shows error pxGrid Registration Failed
  • Logs in ISE: %PXGRID-3-REGISTER_FAIL: Registration failed for client FMC-Client Reason: Untrusted certificate
  • Root Cause: FMC certificate not signed by ISE trusted CA.
  • Fix:
    1. Export FMC certificate chain.
    2. Import into ISE Trusted Certificates (Admin → System → Certificates → Trusted Certificates).
    3. Mark certificate for pxGrid usage.
  • CLI Validation on ISE: show logging application pxgrid.log | include FMC show application status ise

Issue 2: pxGrid Service Not Running on ISE Node

  • Symptom: FMC cannot connect; GUI shows “pxGrid Service Unavailable.”
  • CLI on ISE: show application status ise | include pxgrid Output: pxGrid Infrastructure: not running
  • Fix:
    1. Restart pxGrid: application stop ise application start ise
    2. Ensure pxGrid persona is enabled under Administration → System → Deployment → Node → pxGrid Persona.

Issue 3: Certificates Mismatch (ISE vs FMC)

  • Symptom: Handshake fails, logs: SSL handshake failed: unknown_ca.
  • Fix:
    1. Check that ISE pxGrid uses valid Server Certificate with Client Authentication extended key usage.
    2. Replace self-signed certs with ISE-issued CA.
    3. Re-import into FMC.

Issue 4: FMC Subscribes but No Context Data Arrives

  • Symptom: FMC registers successfully, but no sessions, users, or SGTs appear.
  • ISE CLI Debug: show logging application pxgrid.log | include session
  • Root Cause: FMC only registered, not subscribed.
  • Fix:
    1. In FMC, navigate to Integration → pxGrid → Enable Context Service.
    2. Validate Subscription Status: must be Active.
  • Validation: FMC → System → Health → Context Data.

Issue 5: Large-Scale Lab / Cluster Sync Issues

  • Symptom: Multi-ISE deployment → only PAN has pxGrid enabled, PSNs not publishing data.
  • Fix:
    1. Ensure pxGrid Persona is enabled on all nodes.
    2. Verify inter-node trust (ISE certificates replicated).
    3. Validate via CLI: show running-config | include pxgrid

Issue 6: FMC Cannot Use SGTs for Policies

  • Symptom: FMC shows pxGrid sessions but SGTs are blank.
  • Root Cause: SGT Exchange not enabled in pxGrid.
  • Fix:
    • In ISE: Administration → pxGrid Services → Enable SGT Exchange.
    • Restart pxGrid service.
  • Validation: In FMC policy editor, SGT dropdown should populate.

Issue 7: Time Sync Problems (ISE & FMC)

  • Symptom: pxGrid handshake fails randomly.
  • Log in pxgrid.log: TLS connection rejected due to clock skew
  • Fix:
    • Ensure both ISE & FMC point to same NTP server.
    • CLI check: show ntp

3. Validation Checklist (GUI + CLI)

On ISE

  • GUI → Administration → pxGrid Services → Clients (FMC must be “Connected”)
  • CLI → show logging application pxgrid.log

On FMC

  • GUI → System → Integration → pxGrid (Status: Connected, Subscribed)
  • GUI → Objects → Security Groups (SGTs visible)

End-to-End Test

  • Connect endpoint → ISE authenticates → pxGrid shares session → FMC policy enforced.
  • CLI on endpoint (if Linux/Windows) → test network access (policy hit).

Step-by-Step LAB Validation

Step 1 – Verify Endpoint Authentication on ISE

  1. Connect a test endpoint (Windows/Linux laptop or VM) to your switch/WLC.
  2. The device should go through 802.1X or MAB authentication → hit your ISE policy set.
    • GUI Path: Operations → RADIUS → Live Logs
    • Check authentication result = Access-Accept.
    • Note User ID, IP address, MAC address, and SGT assigned.

Step 2 – Validate Session in ISE (GUI & CLI)

  • GUI Path: Operations → Sessions
    • Ensure endpoint session is active.
    • Check SGT, Posture status, and User.
  • CLI Validation on ISE: show logging application pxgrid.log | include <endpoint_ip> Output should show session published to pxGrid.

Step 3 – Confirm pxGrid Client (FMC) Status in ISE

  • GUI Path: Administration → pxGrid Services → Clients
  • Check FMC → Status = Connected & Subscribed.

Step 4 – Validate pxGrid Data on FMC

  1. Log into FMC GUISystem → Integration → pxGrid.
    • Status = Connected
    • Subscription = Active
  2. GUI Path: Analysis → Users → Active Sessions
    • Endpoint should appear with:
      • Username (from ISE)
      • IP Address
      • MAC Address
      • Security Group Tag (if configured)

Step 5 – Check Security Group Tags (SGT) in FMC

  • GUI Path: Objects → Object Management → Security Group Tags
  • Verify SGTs from ISE are visible.

Step 6 – Create a Policy in FMC Using pxGrid Data

  1. Go to Policies → Access Control → Access Control Policy.
  2. Add a new rule:
    • Source = Endpoint SGT or User (from ISE pxGrid).
    • Destination = Internet or server subnet.
    • Action = Block / Allow / Inspect.

Step 7 – Test Enforcement from Endpoint

  • On the endpoint:
    • Try to access a server or website that is blocked by FMC policy.
    • It should be denied.
    • Access logs in FMC will show policy hit with pxGrid session info.

Step 8 – Validate with CLI (FMC & ISE)

On ISE:

show logging application pxgrid.log | include <username>
show application status ise | include pxgrid

On FMC:

system logs show | grep pxgrid

(Check for subscription updates, errors, or enforcement logs.)


Step 9 – Break & Fix Test (Optional for Lab Mastery)

  • Stop pxGrid service on ISE: application stop ise
  • Verify in FMC → pxGrid status goes Disconnected.
  • Restart and validate reconnection.

Step 10 – End-to-End Checklist

  • Endpoint authenticated in ISE
  • ISE Session Published to pxGrid
  • FMC Connected + Subscribed
  • SGTs visible in FMC
  • Policy created using pxGrid data
  • Enforcement tested successfully
  • CLI logs confirm pxGrid updates

FAQs – ISE & FMC pxGrid Integration

Q1. What is pxGrid and why is it needed between ISE and FMC?

Answer:
pxGrid (Platform Exchange Grid) is Cisco’s framework that allows contextual information sharing between ISE and other security solutions (like FMC).

  • ISE knows who the user is, their role, device type, posture, and SGT.
  • FMC needs this identity and context to enforce security policies (firewall, IPS, URL filtering).
    Without pxGrid, FMC would only see IPs/ports. With pxGrid, it can enforce policies based on user identity + device posture + group tags.

Q2. Do I need special licenses for pxGrid integration between ISE & FMC?

Answer:
Yes.

  • On ISE: You need Plus license (or higher tier, e.g., Apex in older models).
  • On FMC: You must have Control licenses to enforce policies, and pxGrid integration is included with FMC.
    Always check that both sides are properly licensed before lab/production deployment.

Q3. Which ports are required for pxGrid communication between ISE & FMC?

Answer:
pxGrid uses TCP 8910–8911 (TLS/SSL) for communication.

  • Ensure FMC can reach ISE pxGrid node(s) on these ports.
  • Additionally, TCP 443 is needed for FMC GUI/API interactions.
    Best practice: Allow bidirectional communication between ISE and FMC pxGrid nodes.

Q4. How do I verify that FMC is subscribed successfully to ISE pxGrid?

Answer:

  • On ISE GUI:
    • Go to Administration → pxGrid Services → Clients.
    • FMC should appear with Status = Connected & Subscribed.
  • On FMC GUI:
    • Navigate to System → Integration → pxGrid.
    • Status should read Connected, with active subscriptions.
  • CLI Validation: ise/admin# show logging application pxgrid.log | include <FMC_hostname> fmc/admin# system logs show | grep pxgrid

Q5. How do I check if endpoint sessions are shared from ISE to FMC?

Answer:

  • On ISE GUI:
    • Navigate to Operations → Sessions.
    • Confirm the session shows user, IP, MAC, and SGT.
  • On FMC GUI:
    • Navigate to Analysis → Users → Active Sessions.
    • Same endpoint should appear with full details.
      This confirms pxGrid is publishing sessions.

Q6. Can FMC use Security Group Tags (SGTs) from ISE directly in policies?

Answer:
Yes. Once pxGrid is active:

  • On FMC:
    • Navigate to Objects → Object Management → Security Group Tags.
    • Imported SGTs will be listed.
      You can then use these SGTs in Access Control Policies (e.g., block HR endpoints from Internet).

Q7. What happens if ISE pxGrid node fails – will FMC lose context?

Answer:

  • pxGrid is redundant if you deploy multiple ISE Policy Service Nodes with pxGrid role enabled.
  • FMC will automatically re-subscribe to another pxGrid node.
  • If all pxGrid nodes fail, FMC will continue enforcing cached policies but won’t receive new session updates until pxGrid resumes.

Q8. How can I troubleshoot when FMC does not show endpoint/user info from ISE?

Answer:

  1. Verify licenses on both ISE & FMC.
  2. Check connectivity on TCP ports 8910–8911.
  3. Confirm FMC pxGrid client is approved in ISE under pxGrid Services.
  4. Restart pxGrid service on ISE: application stop ise application start ise
  5. Check logs:
    • ISE: show logging application pxgrid.log
    • FMC: system logs show | grep pxgrid

Q9. Is pxGrid communication encrypted?

Answer:
Yes.

  • pxGrid uses TLS/SSL with mutual authentication.
  • Certificates are exchanged between ISE and FMC during registration.
  • Best practice: Use certificates signed by a trusted CA (internal PKI or public).
  • Self-signed certs can be used in lab, but not recommended for production.

Q10. Can I use pxGrid for Threat-Centric NAC with FMC?

Answer:
Absolutely.

  • FMC can trigger adaptive network controls using pxGrid.
  • Example: If FMC detects malware or intrusion → it can send ANC (Adaptive Network Control) command to ISE via pxGrid → ISE quarantines endpoint or changes VLAN.
  • This is one of the strongest integrations of ISE + FMC in threat response.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes

You now have a secure, certificate-anchored pxGrid integration where ISE publishes identity/SGT/ANC and FMC/FTD enforces in real time. Keep certs/DNS/NTP immaculate, log and validate each plane (publish → subscribe → act → enforce), and always include a quarantine drill in your runbooks to prove outcomes.


Upgrade Your Skills – Start Today

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes.

Fast-Track to Cisco ISE Mastery Pro — (4-month live cohort).

  • End-to-end labs: pxGrid 2.0, Threat-Centric NAC, TrustSec/SGT, Wired/Wireless, Posture, FMC/SIEM/SNA integrations
  • Workbook-style guides, troubleshooting bibles, packet captures, mentor support
    Course outline & enrollment: https://course.networkjourney.com/ccie-security/

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088