ISE pxGrid

Platform Exchange Grid. Real-time event streaming and context sharing via WebSocket.

Overview

Base URL

https://ise-01.inside.domusdigitalis.dev:8910/

Auth

mTLS (client certificates)

Format

JSON over WebSocket

Enable

Administration > pxGrid Services

Key Topics

Topic Events

Topic	Events
`com.cisco.ise.session`	Session started/terminated
`com.cisco.ise.anc`	ANC policy applied/cleared
`com.cisco.ise.config.profiler`	Profiler changes
`com.cisco.ise.radius`	RADIUS events
`com.cisco.ise.trustsec`	TrustSec SGT changes

com.cisco.ise.session

Session started/terminated

com.cisco.ise.anc

ANC policy applied/cleared

com.cisco.ise.config.profiler

Profiler changes

com.cisco.ise.radius

RADIUS events

com.cisco.ise.trustsec

TrustSec SGT changes

Certificate Setup

pxGrid requires client certificates:

# Generate CSR for pxGrid client
openssl req -new -newkey rsa:2048 -nodes \
  -keyout pxgrid-client.key \
  -out pxgrid-client.csr \
  -subj "/CN=pxgrid-client.inside.domusdigitalis.dev"

# Submit CSR to ISE via GUI:
# Administration > pxGrid Services > Certificates > Generate Certificate
# Download signed cert as pxgrid-client.pem

# Or issue from Vault PKI
vault write pki_int/issue/domus-client \
  common_name="pxgrid-client.inside.domusdigitalis.dev" \
  ttl="8760h"

Python Examples

pxGrid uses WebSocket connections, best consumed with Python:

import ssl
import stomper
import websocket

def on_message(ws, message):
    frame = stomper.unpack_frame(message)
    if frame['cmd'] == 'MESSAGE':
        print(frame['body'])

def on_open(ws):
    # Connect
    ws.send(stomper.connect('guest', 'guest'))
    # Subscribe to sessions
    ws.send(stomper.subscribe('/topic/com.cisco.ise.session'))

# SSL context with client cert
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ssl_context.load_cert_chain('client.pem', 'client.key')
ssl_context.load_verify_locations('ise-ca.pem')

ws = websocket.WebSocketApp(
    'wss://ise-01.inside.domusdigitalis.dev:8910/pxgrid/ise/pubsub',
    on_message=on_message,
    on_open=on_open
)
ws.run_forever(sslopt={'context': ssl_context})

ANC Actions

import requests

def apply_anc_policy(mac_address: str, policy_name: str) -> dict:
    """Apply ANC policy to endpoint via pxGrid REST"""
    response = requests.post(
        "https://ise-01.inside.domusdigitalis.dev:8910/pxgrid/anc/applyEndpointPolicy",
        cert=("client.pem", "client.key"),
        verify="ise-ca.pem",
        json={
            "macAddress": mac_address,
            "policyName": policy_name
        }
    )
    return response.json()

# Usage
result = apply_anc_policy("14:F6:D8:7B:31:80", "Quarantine")

Clear ANC

def clear_anc_policy(mac_address: str) -> dict:
    """Clear ANC policy from endpoint"""
    response = requests.post(
        "https://ise-01.inside.domusdigitalis.dev:8910/pxgrid/anc/clearEndpointPolicy",
        cert=("client.pem", "client.key"),
        verify="ise-ca.pem",
        json={"macAddress": mac_address}
    )
    return response.json()

Available Topics

# pxGrid Topics:
# /topic/com.cisco.ise.session - Session lifecycle events
# /topic/com.cisco.ise.anc - ANC policy applications
# /topic/com.cisco.ise.sxp - SXP IP-SGT bindings
# /topic/com.cisco.ise.trustsec - TrustSec updates
# /topic/com.cisco.ise.radius - RADIUS auth events
# /topic/com.cisco.ise.mdm - MDM compliance events

Environment Setup

export PXGRID_HOST="ise-01.inside.domusdigitalis.dev"
export PXGRID_PORT="8910"
export PXGRID_CERT="./pxgrid-client.pem"
export PXGRID_KEY="./pxgrid-client.key"
export PXGRID_CA="./ise-chain.pem"

Learnings

pxGrid Gotchas

Requires mTLS - no username/password auth
Client cert must be approved in ISE (Administration > pxGrid Services > Clients)
WebSocket connection stays open - events stream in real-time
Python websockets library recommended
ANC (Adaptive Network Control) actions are powerful - can quarantine endpoints
pxGrid 2.0 (ISE 2.4+) uses REST over WebSocket; older versions use XMPP