pxGrid 2.0

Overview

pxGrid (Platform Exchange Grid) enables real-time sharing of security context between ISE and partner solutions. Version 2.0 uses REST + WebSocket.

Port

8910 (HTTPS/WSS)

Auth

Mutual TLS (client certificates)

Protocol

REST for control, WebSocket for pub/sub

Format

JSON

Capabilities

Service Description Direction

Session Directory

Real-time session data

Subscribe

ANC (Adaptive Network Control)

Apply/clear endpoint policies

Publish

TrustSec

SGT/SXP bindings

Subscribe

System Health

ISE node status

Subscribe

Profiler

Endpoint profiling updates

Subscribe

RADIUS Failures

Auth failure notifications

Subscribe

Subpages

Architecture

┌─────────────┐     ┌──────────────┐     ┌─────────────┐
│  pxGrid     │     │     ISE      │     │   Partner   │
│  Client     │◄───►│   pxGrid     │◄───►│   System    │
│  (netapi)   │     │  Controller  │     │   (SIEM)    │
└─────────────┘     └──────────────┘     └─────────────┘
       │                   │                    │
       │   WebSocket       │    WebSocket       │
       │   Subscribe       │    Publish         │
       └───────────────────┴────────────────────┘

Authentication

pxGrid uses mutual TLS (mTLS). Both client and server present certificates.

Certificate Requirements

  • Client cert signed by CA trusted by ISE

  • Client cert has pxGrid client EKU (optional but recommended)

  • CN or SAN matches registered client name

Registration Flow

  1. Generate client certificate

  2. Register client with ISE pxGrid controller

  3. Approve client in ISE Admin UI (or auto-approve)

  4. Activate and subscribe to services

Quick Start

1. Register Client

curl -sk --cert pxgrid-client.pem --key pxgrid-client.key \
  "https://${ISE_PAN_IP}:8910/pxgrid/control/AccountActivate" \
  -H "Content-Type: application/json" \
  -d '{"accountState": "enabled"}'

2. Lookup Service

curl -sk --cert pxgrid-client.pem --key pxgrid-client.key \
  "https://${ISE_PAN_IP}:8910/pxgrid/control/ServiceLookup" \
  -H "Content-Type: application/json" \
  -d '{"name": "com.cisco.ise.session"}'

3. Get Access Secret

curl -sk --cert pxgrid-client.pem --key pxgrid-client.key \
  "https://${ISE_PAN_IP}:8910/pxgrid/control/AccessSecret" \
  -H "Content-Type: application/json" \
  -d '{"peerNodeName": "ise-pubsub-node"}'

4. Subscribe to Sessions

# WebSocket connection (use wscat or Python)
wscat -c "wss://${ISE_PAN_IP}:8910/pxgrid/ise/pubsub" \
  --cert pxgrid-client.pem --key pxgrid-client.key

Services

Session Directory

  • Topic: com.cisco.ise.session

  • Events: sessionCreated, sessionUpdated, sessionDeleted

  • Data: MAC, IP, user, NAS, SGT

ANC (Adaptive Network Control)

  • Topic: com.cisco.ise.config.anc

  • Operations: applyEndpointByMacAddress, clearEndpointByMacAddress

  • Policies: QUARANTINE, SHUT_DOWN, PORT_BOUNCE

TrustSec

  • Topic: com.cisco.ise.trustsec

  • Data: SGT bindings, SXP mappings

System Health

  • Topic: com.cisco.ise.system

  • Data: Node status, replication status

netapi Support

# List pxGrid services (future)
netapi ise pxgrid services

# Subscribe to sessions (future)
netapi ise pxgrid subscribe sessions

# Apply ANC policy
netapi ise pxgrid anc apply --mac "AA:BB:CC:DD:EE:FF" --policy QUARANTINE

pxGrid vs Other APIs

Feature pxGrid MnT DataConnect

Real-time

Yes (WebSocket)

Yes (polling)

No

Historical

No

No

Yes

Write Operations

ANC only

CoA only

No

Auth

mTLS (certs)

Basic

JDBC

Troubleshooting

Client Not Approved

  1. Check ISE Admin > Administration > pxGrid Services > Clients

  2. Approve pending client

  3. Or enable auto-approve in pxGrid settings

Certificate Issues

  1. Verify client cert is trusted by ISE

  2. Check cert validity dates

  3. Verify CN matches registered name

No Events Received

  1. Confirm subscription is active

  2. Check WebSocket connection is established

  3. Verify ISE is generating events (authentication activity)

See Also