pxGrid 2.0 Commands

Overview

pxGrid 2.0 is ISE’s real-time integration API for session monitoring, Adaptive Network Control (ANC), TrustSec, and cross-platform data sharing. Unlike ERS (CRUD operations) or MnT (polling), pxGrid provides:

Real-time session data - No polling, instant updates
ANC operations - Quarantine/unquarantine endpoints programmatically
TrustSec integration - SGT assignments, egress policies
Certificate-based authentication - Enterprise PKI integration
Pub/Sub capability - WebSocket subscriptions (future)

pxGrid requires FQDN - IP addresses are NOT supported. The pxGrid protocol validates hostnames against certificates.

Commands

Command Description

Command	Description
`pxgrid activate`	Activate pxGrid account (first-time setup)
`pxgrid test`	Test pxGrid connection and account status
`pxgrid services`	List available pxGrid services
`pxgrid sessions`	Get all active sessions (real-time)
`pxgrid session`	Get session by MAC or IP address
`pxgrid user-groups`	Get user’s group memberships
`pxgrid anc-*`	ANC policy operations (list, apply, clear)
`pxgrid sgts`	TrustSec security groups
`pxgrid health/performance`	ISE system health metrics

pxgrid activate

Activate pxGrid account (first-time setup)

pxgrid test

Test pxGrid connection and account status

pxgrid services

List available pxGrid services

pxgrid sessions

Get all active sessions (real-time)

pxgrid session

Get session by MAC or IP address

pxgrid user-groups

Get user’s group memberships

pxgrid anc-*

ANC policy operations (list, apply, clear)

pxgrid sgts

TrustSec security groups

pxgrid health/performance

ISE system health metrics

Enterprise Certificate Setup

pxGrid uses mutual TLS (mTLS) for authentication. In enterprise environments, use your existing PKI (AD CS) rather than ISE’s internal CA.

See Enterprise PKI Setup for complete instructions.

Quick Setup (AD CS)

# 1. Generate CSR on Linux
openssl req -new -newkey rsa:2048 -nodes \
  -keyout ~/.secrets/certs/d000/ise/pxgrid-client.key \
  -out /tmp/pxgrid-client.csr \
  -subj "/CN=netapi-pxgrid/O=YourOrg/C=US"

# 2. Submit to AD CS (via SSH to DC)
ssh admin@home-dc01 "certreq -submit -attrib 'CertificateTemplate:pxGrid' -"

# 3. Configure environment
export ISE_PXGRID_FQDN=ppan.inside.domusdigitalis.dev
export ISE_PXGRID_CERT=~/.secrets/certs/d000/ise/pxgrid-client.cer
export ISE_PXGRID_KEY=~/.secrets/certs/d000/ise/pxgrid-client.key
export ISE_PXGRID_CA=~/.secrets/certs/d000/ise/ROOT-CA.crt

# 4. Activate account
netapi ise pxgrid activate

Environment Variables

Variable Description Required

Variable	Description	Required
`ISE_PXGRID_FQDN`	pxGrid node FQDN (not IP!)	Yes
`ISE_PXGRID_CERT`	Path to client certificate PEM	Yes
`ISE_PXGRID_KEY`	Path to private key PEM (unencrypted)	Yes
`ISE_PXGRID_CA`	Path to CA certificate PEM	Recommended
`ISE_PXGRID_CLIENT_NAME`	Client registration name	Default: `netapi-pxgrid`

ISE_PXGRID_FQDN

pxGrid node FQDN (not IP!)

Yes

ISE_PXGRID_CERT

Path to client certificate PEM

Yes

ISE_PXGRID_KEY

Path to private key PEM (unencrypted)

Yes

ISE_PXGRID_CA

Path to CA certificate PEM

Recommended

ISE_PXGRID_CLIENT_NAME

Client registration name

Default: netapi-pxgrid

Global Options

Option Values Description

Option	Values	Description
`--format`, `-f`	`table`, `json`, `yaml`	Output format (default: `table`)

--format, -f

table, json, yaml

Output format (default: table)

pxGrid vs ERS vs MnT vs DataConnect

Capability	pxGrid	ERS	MnT	DataConnect
Real-time sessions	Yes (instant)	No	Polling	Query-based
ANC operations	Yes	Yes	No	No
Session subscriptions	WebSocket	No	No	No
Authentication	mTLS (certs)	Basic Auth	Basic Auth	Oracle TLS
Port	8910	9060	443	2484
Use case	Integration, SIEM	Config mgmt	Session ops	Analytics

Capability

pxGrid

ERS

MnT

DataConnect

Real-time sessions

Yes (instant)

Polling

Query-based

ANC operations

Yes

Session subscriptions

WebSocket

Authentication

mTLS (certs)

Basic Auth

Oracle TLS

Port

8910

9060

443

2484

Use case

Integration, SIEM

Config mgmt

Session ops

Analytics

Architecture

                    ┌─────────────────┐
                    │   ISE Cluster   │
                    │   (pxGrid 2.0)  │
                    │    Port 8910    │
                    └────────┬────────┘
                             │ mTLS
              ┌──────────────┼──────────────┐
              │              │              │
         ┌────▼────┐   ┌─────▼─────┐  ┌─────▼─────┐
         │ netapi  │   │   SIEM    │  │  Firewall │
         │ pxgrid  │   │ (Splunk)  │  │  (Palo)   │
         └─────────┘   └───────────┘  └───────────┘
              │
              ▼
         Sessions, ANC, SGTs

pxGrid allows multiple clients to connect simultaneously. Each client:

Registers with a unique client name
Activates (requires ISE admin approval first time)
Discovers available services
Subscribes or queries as needed

Troubleshooting

Connection Refused

# Verify pxGrid is enabled on ISE
# ISE GUI: Administration > pxGrid Services > Settings
# Check "Enable pxGrid"

# Verify port 8910 is open
nc -zv ppan.inside.domusdigitalis.dev 8910

Certificate Errors

# Verify certificate chain
openssl verify -CAfile ~/.secrets/certs/d000/ise/ROOT-CA.crt \
  ~/.secrets/certs/d000/ise/pxgrid-client.cer

# Check certificate dates
openssl x509 -in ~/.secrets/certs/d000/ise/pxgrid-client.cer -noout -dates

# Verify key matches cert
openssl x509 -in pxgrid-client.cer -noout -modulus | md5sum
openssl rsa -in pxgrid-client.key -noout -modulus | md5sum
# Both should match

Account Pending

# First activation shows PENDING
netapi ise pxgrid activate
# Output: pxGrid account pending approval: PENDING

# Approve in ISE GUI:
# Administration > pxGrid Services > Clients
# Find "netapi-pxgrid" > Approve

# Re-run activation
netapi ise pxgrid activate
# Output: pxGrid account activated: ENABLED

FQDN Resolution

# pxGrid requires FQDN - verify DNS resolution
nslookup ppan.inside.domusdigitalis.dev

# If using /etc/hosts, ensure it matches cert CN
grep ppan /etc/hosts