ISE 2.1 and WSA pxGrid Integration with CA-Signed Certificates

This blog post is going to be going over integration ISE 2.1 and WSA via pxGrid with CA-signed certificates. I personally like using CA-Signed certificates for my deployment because if I ever need to rebuild an ISE instance or pxGrid client, it's extremely easy to get it up and running again with a CA-signed certificate.

Prior to anything, make sure the WSA has basic configs (IP address, licensing, etc).

For ISE, navigate to Administration>System>Certificates>Trusted Certificates and make sure the Root CA certificate is uploaded and that it’s Trusted for Client Authentication and authentication within ISE:

Navigate to Administration>System>Certificates>Certificate Signing Requests and click Generate Certificate Signing Requests (CSR). Create a Multi-Use certificate for your ISE node and once created, export it. Open it with Notepad, copy the CSR and open your AD Certificate Services page. Click on Request a certificate>advanced certificate requests, paste the CSR in the Base-64-encoded request and choose pxGrid ads the certificate template before clicking Submit. On the next page, download the certificate as Base-64 encoded.

Go back to Administration>System>Certificates>Certificate Signing Requests, check the box next to the CSR and bind the certificate and specify that the certificate will be at least used for pxGrid.

Navigate to Administration>System>Certificates>System Certificates and make sure your bond certificate is there with the pxGrid usage:

Navigate to Administration>System>Deployment and click on your ISE node:

Ensure that pxGrid is checked:

Navigate to Administration>pxGrid Services>Settings and ensure that automatically approve new accounts is checked:

Navigate to the AD certificate services and ensure that the CA certificate is downloaded if you haven’t already:


In the WSA, navigate to Network>Certificate Management and click on Manage Trusted Root Certificates.. to upload the CA certificate you just downloaded. 


Click Import:

Browse to your downloaded and upload the CA certificate and click Submit:

Click Submit again:

Click Commit Changes to apply the changes.

Navigate to Network>Identity Services Engine and click Enable and Edit Settings..

In the first section, add your ISE IP or hostname, click Browse, select the CA certificate and click Upload File:


In the next section, upload the CA certificate again:


In the last section, choose the radio button for Use Generated Certificate and Key and click the button Generate New Certificate and Key:

Fill in the certificate fields and click Generate:


After generating it, click on the Download Certificate Signing Requests… link and open the CSR in Notepad:

Very important: Click Submit at the bottom of the page and then Commit Changes.

After doing so, navigate back to Network>Identity Services Engine and click on Edit Settings:

Open up your AD Certificate Services and click on Request a certificate:


Click advanced certificate request.

On the opened CSR you downloaded from the WSA, Copy the selection of the certificate only


Back in the AD Certificate Services, paste it, choose the pxGrid template and click Submit:

Download the new certificate in Base 64 format.

Back in the WSA, upload the certificate:


You should see a success message at the top:

On the bottom of the screen, click Start Test to verify everything is working:


In the WSA, navigate to System Administration>Log Subscription and click accesslogs. Under the Custom Fields (optional), add %m

Click Submit and Commit Changes


In ISE, navigate to Administration>pxGrid Services>Clients to verify the new pxGrid node is showing up: