Cisco ISE Integration
Identity Services Engine integration for network access control and policy automation
Identity Services Engine integration for network access control and policy automation
Integrate TYCHON Quantum Readiness with Cisco ISE to leverage network visibility, device profiling, and policy enforcement for automated cryptographic asset discovery and compliance validation.
Leverage ISE's device discovery for targeted scanning
Automatic scanning based on device attributes
Dynamic policy adjustment based on crypto findings
ISE Device Discovery → pxGrid API → TYCHON Quantum Readiness Trigger → Certificate Analysis → Policy Response → ISE ActionSet up pxGrid client to receive device session notifications:
#!/usr/bin/env python3
import json
import subprocess
import pxgrid
from pxgrid.stomp import PxgridStomp
class TychonISEIntegration:
def __init__(self, ise_host, client_name, client_cert, client_key, ca_cert):
self.config = pxgrid.Configuration()
self.config.host = ise_host
self.config.client_name = client_name
self.config.client_cert_path = client_cert
self.config.client_key_path = client_key
self.config.server_cert_path = ca_cert
self.pxgrid_control = pxgrid.ControlConnection(config=self.config)
def session_callback(self, message):
"""Handle new device session notifications from ISE"""
session_data = json.loads(message.body)
# Extract device information
endpoint_ip = session_data.get('endpointIPAddress')
mac_address = session_data.get('macAddress')
device_type = session_data.get('endpointProfile', 'Unknown')
# Trigger TYCHON Quantum Readiness based on device profile
if self.should_scan_device(device_type, endpoint_ip):
self.trigger_tychon_scanner(endpoint_ip, mac_address, device_type)
def should_scan_device(self, device_type, ip_address):
"""Determine if device should be scanned based on ISE profiling"""
scan_profiles = [
'Cisco-Device', 'Linux-Server', 'Windows-Server',
'Apache-HTTP-Server', 'Microsoft-IIS', 'Unknown'
]
return device_type in scan_profiles and ip_address
def trigger_tychon_scanner(self, target_ip, mac_address, device_type):
"""Execute TYCHON Quantum Readiness against discovered device"""
cmd = [
'/opt/certscanner/certscanner',
'-target', target_ip,
'-output-format', 'json',
'-upload-s3',
'-s3bucket', 'ise-certscanner-reports',
'-s3keyprefix', f'ise-discovery/{device_type}',
'-quiet'
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
print(f"✅ Successfully scanned {target_ip} ({device_type})")
self.send_ise_update(target_ip, mac_address, 'crypto-scanned', True)
else:
print(f"❌ Failed to scan {target_ip}: {result.stderr}")
self.send_ise_update(target_ip, mac_address, 'crypto-scan-failed', False)
except subprocess.TimeoutExpired:
print(f"⏰ Scan timeout for {target_ip}")
def send_ise_update(self, ip_address, mac_address, attribute, value):
"""Send custom attribute update back to ISE via ERS API"""
# Implementation would use ISE ERS API to update custom attributes
passDefine custom attributes in ISE to track crypto scanning results:
{
"customAttributes": [
{
"name": "CryptoScanStatus",
"type": "STRING",
"values": ["NotScanned", "Scanning", "Completed", "Failed"],
"description": "TYCHON Quantum Readiness execution status"
},
{
"name": "CertificateCount",
"type": "INTEGER",
"description": "Number of certificates discovered on device"
},
{
"name": "ExpiredCertificates",
"type": "INTEGER",
"description": "Number of expired certificates found"
},
{
"name": "PQCVulnerable",
"type": "BOOLEAN",
"description": "Device has post-quantum cryptography vulnerabilities"
},
{
"name": "WeakCrypto",
"type": "STRING",
"description": "Comma-separated list of weak cryptographic algorithms"
},
{
"name": "LastCryptoScan",
"type": "STRING",
"description": "Timestamp of last TYCHON Quantum Readiness execution"
},
{
"name": "CryptoRiskScore",
"type": "INTEGER",
"description": "Calculated crypto risk score (0-100)"
}
]
}Update device attributes via ISE External RESTful Services API:
#!/bin/bash
# Update ISE endpoint attributes with TYCHON Quantum Readiness results
ISE_HOST="${ISE_HOSTNAME}"
ISE_USER="${ISE_ERS_USERNAME}"
ISE_PASS="${ISE_ERS_PASSWORD}"
ENDPOINT_MAC="$1"
SCAN_RESULTS_FILE="$2"
# Parse TYCHON Quantum Readiness JSON results
CERT_COUNT=$(jq -r '.certificate_summary.total // 0' "$SCAN_RESULTS_FILE")
EXPIRED_COUNT=$(jq -r '.certificate_summary.expired // 0' "$SCAN_RESULTS_FILE")
PQC_VULNERABLE=$(jq -r '.pqc_vulnerable // false' "$SCAN_RESULTS_FILE")
WEAK_ALGOS=$(jq -r '.weak_algorithms[]? // empty' "$SCAN_RESULTS_FILE" | tr '\n' ',')
# Calculate risk score
RISK_SCORE=$((EXPIRED_COUNT * 20 + (PQC_VULNERABLE == "true" ? 30 : 0)))
# Update ISE endpoint via ERS API
curl -X PUT \
"https://${ISE_HOST}:9060/ers/config/endpoint/name/${ENDPOINT_MAC}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-u "${ISE_USER}:${ISE_PASS}" \
--insecure \
-d "{
\"ERSEndPoint\": {
\"customAttributes\": {
\"customAttributes\": {
\"CryptoScanStatus\": \"Completed\",
\"CertificateCount\": \"${CERT_COUNT}\",
\"ExpiredCertificates\": \"${EXPIRED_COUNT}\",
\"PQCVulnerable\": \"${PQC_VULNERABLE}\",
\"WeakCrypto\": \"${WEAK_ALGOS%,}\",
\"LastCryptoScan\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",
\"CryptoRiskScore\": \"${RISK_SCORE}\"
}
}
}
}"Create ISE policies that respond to TYCHON Quantum Readiness findings:
Rule Name: High-Risk Crypto Devices
Conditions:
- Network_Device_Name EQUALS Network Device Group#All Device Types#All Device Types
- CryptoRiskScore GREATER_THAN 50
- OR PQCVulnerable EQUALS true
- OR ExpiredCertificates GREATER_THAN 0
Permissions:
- Quarantine_VLAN
- LIMITED_ACCESS
- Security_Remediation_Required
Actions:
- Send CoA: Re-authenticate
- Log: High crypto risk device detected - #{CryptoRiskScore}
- Notify: Security team via SNMP trapRule Name: Crypto-Compliant Devices
Conditions:
- Network_Device_Name EQUALS Network Device Group#All Device Types#All Device Types
- CryptoScanStatus EQUALS Completed
- CryptoRiskScore LESS_THAN 20
- PQCVulnerable EQUALS false
- ExpiredCertificates EQUALS 0
Permissions:
- FULL_ACCESS
- Production_Network
Actions:
- Log: Crypto-compliant device access granted
- Set Attribute: DeviceComplianceStatus = CryptoCompliantRule Name: Crypto Remediation Required
Conditions:
- Network_Device_Name EQUALS Network Device Group#All Device Types#All Device Types
- CryptoRiskScore GREATER_THAN 20 AND LESS_THAN 50
- OR ExpiredCertificates GREATER_THAN 0 AND LESS_THAN 3
Permissions:
- LIMITED_ACCESS
- Remediation_Network
- Certificate_Management_Tools
Actions:
- Redirect: Certificate renewal portal
- Log: Device requires crypto remediation
- Schedule: Re-scan in 24 hoursCreate ISE profiling rules to classify devices based on crypto findings:
# High-Risk Crypto Profile
Profile Name: High-Risk-Crypto-Device
Rules:
- CryptoRiskScore GREATER_THAN 70
- OR (PQCVulnerable EQUALS true AND ExpiredCertificates GREATER_THAN 2)
Actions:
- Assign Profile: High-Risk-Crypto-Device
- Set Category: Security Risk
# Legacy Crypto Profile
Profile Name: Legacy-Crypto-Device
Rules:
- WeakCrypto CONTAINS "MD5"
- OR WeakCrypto CONTAINS "SHA1"
- OR WeakCrypto CONTAINS "RC4"
Actions:
- Assign Profile: Legacy-Crypto-Device
- Set Category: Legacy System
# PQC Vulnerable Profile
Profile Name: PQC-Vulnerable-Device
Rules:
- PQCVulnerable EQUALS true
Actions:
- Assign Profile: PQC-Vulnerable-Device
- Set Category: Quantum RiskAutomate periodic scanning of ISE-managed devices:
# Scheduled CertScanner execution using ISE device inventory (PowerShell)
$ISE_HOST = $env:ISE_HOSTNAME
$ISE_USER = $env:ISE_ERS_USERNAME
$ISE_PASS = $env:ISE_ERS_PASSWORD
Write-Host "Fetching active devices from ISE..."
# Prepare authentication
$AuthString = "${ISE_USER}:${ISE_PASS}"
$EncodedAuth = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($AuthString))
$Headers = @{
"Authorization" = "Basic $EncodedAuth"
"Accept" = "application/json"
}
# Get list of active endpoints from ISE
try {
$Response = Invoke-RestMethod -Uri "https://${ISE_HOST}:9060/ers/config/endpoint" `
-Headers $Headers -SkipCertificateCheck
$ActiveDevices = $Response.SearchResult.resources
} catch {
Write-Error "Failed to fetch devices from ISE: $($_.Exception.Message)"
exit 1
}
Write-Host "Found $($ActiveDevices.Count) active devices"
# Scan each device
foreach ($device in $ActiveDevices) {
try {
# Get device details
$DeviceInfo = Invoke-RestMethod -Uri "https://${ISE_HOST}:9060/ers/config/endpoint/$($device.id)" `
-Headers $Headers -SkipCertificateCheck
$IPAddress = $DeviceInfo.ERSEndPoint.ipAddress
$MACAddress = $DeviceInfo.ERSEndPoint.mac
$Profile = $DeviceInfo.ERSEndPoint.profileId
if ($IPAddress -and $IPAddress -ne "null") {
Write-Host "Scanning $IPAddress ($MACAddress)..."
# Execute CertScanner
& "C:\Program Files\CertScanner\certscanner-windows-amd64.exe" `
-target $IPAddress `
-output-format json `
-upload-s3 `
-s3bucket ise-crypto-scans `
-s3keyprefix "scheduled-scans/$(Get-Date -Format 'yyyy-MM-dd')" `
-s3accesskey $env:AWS_ACCESS_KEY `
-s3secretkey $env:AWS_SECRET_KEY `
-quiet
if ($LASTEXITCODE -eq 0) {
Write-Host "✅ Successfully scanned $IPAddress" -ForegroundColor Green
} else {
Write-Host "❌ Failed to scan $IPAddress" -ForegroundColor Red
}
# Rate limiting between scans
Start-Sleep -Seconds 5
}
} catch {
Write-Host "❌ Error processing device: $($_.Exception.Message)" -ForegroundColor Red
}
}
Write-Host "Scheduled scan completed"#!/bin/bash
# Scheduled CertScanner execution using ISE device inventory (Linux)
ISE_HOST="${ISE_HOSTNAME}"
ISE_USER="${ISE_ERS_USERNAME}"
ISE_PASS="${ISE_ERS_PASSWORD}"
echo "Fetching active devices from ISE..."
# Get list of active endpoints from ISE
ACTIVE_DEVICES=$(curl -s -u "${ISE_USER}:${ISE_PASS}" \
"https://${ISE_HOST}:9060/ers/config/endpoint" \
-H "Accept: application/json" \
--insecure | jq -r '.SearchResult.resources[]?.id // empty')
echo "Found $(echo "$ACTIVE_DEVICES" | wc -l) active devices"
# Scan each device
for device_id in $ACTIVE_DEVICES; do
# Get device details
DEVICE_INFO=$(curl -s -u "${ISE_USER}:${ISE_PASS}" \
"https://${ISE_HOST}:9060/ers/config/endpoint/${device_id}" \
-H "Accept: application/json" \
--insecure)
IP_ADDRESS=$(echo "$DEVICE_INFO" | jq -r '.ERSEndPoint.ipAddress // empty')
MAC_ADDRESS=$(echo "$DEVICE_INFO" | jq -r '.ERSEndPoint.mac // empty')
PROFILE=$(echo "$DEVICE_INFO" | jq -r '.ERSEndPoint.profileId // "Unknown"')
if [ -n "$IP_ADDRESS" ] && [ "$IP_ADDRESS" != "null" ]; then
echo "Scanning $IP_ADDRESS ($MAC_ADDRESS)..."
# Execute CertScanner
/opt/certscanner/certscanner-linux-x64 \
-target "$IP_ADDRESS" \
-output-format json \
-upload-s3 \
-s3bucket ise-crypto-scans \
-s3keyprefix "scheduled-scans/$(date +%Y-%m-%d)" \
-s3accesskey "$AWS_ACCESS_KEY" \
-s3secretkey "$AWS_SECRET_KEY" \
-quiet
if [ $? -eq 0 ]; then
echo "✅ Successfully scanned $IP_ADDRESS"
else
echo "❌ Failed to scan $IP_ADDRESS"
fi
# Rate limiting between scans
sleep 5
fi
done
echo "Scheduled scan completed"#!/bin/bash
# Scheduled CertScanner execution using ISE device inventory (macOS)
ISE_HOST="${ISE_HOSTNAME}"
ISE_USER="${ISE_ERS_USERNAME}"
ISE_PASS="${ISE_ERS_PASSWORD}"
# Detect Mac architecture
if [[ $(uname -m) == "arm64" ]]; then
CERTSCANNER="/opt/certscanner/certscanner-darwin-arm64"
else
CERTSCANNER="/opt/certscanner/certscanner-darwin-amd64"
fi
echo "Fetching active devices from ISE..."
echo "Using TYCHON Quantum Readiness binary: $CERTSCANNER"
# Get list of active endpoints from ISE
ACTIVE_DEVICES=$(curl -s -u "${ISE_USER}:${ISE_PASS}" \
"https://${ISE_HOST}:9060/ers/config/endpoint" \
-H "Accept: application/json" \
--insecure | jq -r '.SearchResult.resources[]?.id // empty')
echo "Found $(echo "$ACTIVE_DEVICES" | wc -l) active devices"
# Scan each device
for device_id in $ACTIVE_DEVICES; do
# Get device details
DEVICE_INFO=$(curl -s -u "${ISE_USER}:${ISE_PASS}" \
"https://${ISE_HOST}:9060/ers/config/endpoint/${device_id}" \
-H "Accept: application/json" \
--insecure)
IP_ADDRESS=$(echo "$DEVICE_INFO" | jq -r '.ERSEndPoint.ipAddress // empty')
MAC_ADDRESS=$(echo "$DEVICE_INFO" | jq -r '.ERSEndPoint.mac // empty')
PROFILE=$(echo "$DEVICE_INFO" | jq -r '.ERSEndPoint.profileId // "Unknown"')
if [ -n "$IP_ADDRESS" ] && [ "$IP_ADDRESS" != "null" ]; then
echo "Scanning $IP_ADDRESS ($MAC_ADDRESS)..."
# Execute CertScanner (memory scanning may not be available on macOS)
"$CERTSCANNER" \
-target "$IP_ADDRESS" \
-output-format json \
-upload-s3 \
-s3bucket ise-crypto-scans \
-s3keyprefix "scheduled-scans/$(date +%Y-%m-%d)" \
-s3accesskey "$AWS_ACCESS_KEY" \
-s3secretkey "$AWS_SECRET_KEY" \
-quiet
if [ $? -eq 0 ]; then
echo "✅ Successfully scanned $IP_ADDRESS"
else
echo "❌ Failed to scan $IP_ADDRESS"
fi
# Rate limiting between scans
sleep 5
fi
done
echo "Scheduled scan completed"Implement real-time policy actions based on crypto findings:
#!/usr/bin/env python3
import json
import requests
from datetime import datetime
class ISEPolicyResponse:
def __init__(self, ise_host, username, password):
self.ise_host = ise_host
self.auth = (username, password)
self.base_url = f"https://{ise_host}:9060/ers/config"
def process_scan_results(self, scan_results_path, endpoint_mac):
"""Process TYCHON Quantum Readiness results and update ISE policies"""
with open(scan_results_path, 'r') as f:
results = json.load(f)
# Calculate risk metrics
risk_score = self.calculate_risk_score(results)
# Update endpoint attributes
self.update_endpoint_attributes(endpoint_mac, results, risk_score)
# Apply appropriate policy action
if risk_score >= 70:
self.quarantine_device(endpoint_mac, "High crypto risk")
elif risk_score >= 40:
self.limit_device_access(endpoint_mac, "Moderate crypto risk")
else:
self.grant_full_access(endpoint_mac, "Crypto compliant")
def calculate_risk_score(self, results):
"""Calculate crypto risk score (0-100)"""
score = 0
# Expired certificates
expired = results.get('certificate_summary', {}).get('expired', 0)
score += min(expired * 15, 45) # Max 45 points for expired certs
# PQC vulnerability
if results.get('pqc_vulnerable', False):
score += 30
# Weak algorithms
weak_algos = len(results.get('weak_algorithms', []))
score += min(weak_algos * 5, 25) # Max 25 points for weak algos
return min(score, 100)
def quarantine_device(self, mac_address, reason):
"""Send CoA to quarantine high-risk device"""
coa_payload = {
"CoARequest": {
"userName": mac_address,
"macAddress": mac_address,
"nasIPAddress": "ALL",
"disconnectType": "Reauthorize"
}
}
response = requests.post(
f"{self.base_url}/coa/disconnect",
json=coa_payload,
auth=self.auth,
verify=False
)
print(f"Quarantined {mac_address}: {reason} (Response: {response.status_code})")Custom queries for ISE Monitoring and Troubleshooting node:
-- ISE MnT Database Query for Crypto Risk Assessment
SELECT
e.mac_address,
e.ip_address,
e.device_profile,
ca.crypto_scan_status,
ca.certificate_count,
ca.expired_certificates,
ca.pqc_vulnerable,
ca.crypto_risk_score,
ca.last_crypto_scan,
s.session_state,
s.authorization_profile
FROM endpoints e
LEFT JOIN custom_attributes ca ON e.endpoint_id = ca.endpoint_id
LEFT JOIN sessions s ON e.mac_address = s.calling_station_id
WHERE ca.crypto_scan_status IS NOT NULL
ORDER BY ca.crypto_risk_score DESC, ca.last_crypto_scan DESC;Forward ISE authentication events enriched with crypto data to SIEM:
# ISE Logging Configuration for Crypto Events
# Remote Logging Target
Syslog Target: splunk.company.com:514
Protocol: UDP
Facility: LOG_LOCAL3
Severity: INFO
# Log Message Template
Template: ISE_CRYPTO_AUTH
Format: %timestamp% ISE=%hostname% Event=Authentication Result=%result%
User=%username% MAC=%calling-station-id% IP=%framed-ip-address%
Profile=%endpoint-profile% CryptoRisk=%CryptoRiskScore%
PQCVuln=%PQCVulnerable% ExpiredCerts=%ExpiredCertificates%
# Logging Categories
- Authentication Success/Failure
- Authorization Policy Matched
- CoA/Disconnect Events
- Custom Attribute Updates
- Profiling ChangesDeploy TYCHON Quantum Readiness as a containerized service with ISE integration:
FROM alpine:latest
# Install dependencies
RUN apk add --no-cache ca-certificates curl jq python3 py3-pip
# Install Python dependencies for pxGrid
RUN pip3 install pxgrid requests
# Copy TYCHON Quantum Readiness binary
COPY certscanner /opt/certscanner/certscanner
COPY ise-integration.py /opt/certscanner/ise-integration.py
COPY config/ /opt/certscanner/config/
# Set permissions
RUN chmod +x /opt/certscanner/certscanner
RUN chmod +x /opt/certscanner/ise-integration.py
# Create non-root user
RUN adduser -D -s /bin/sh certscanner
USER certscanner
# Health check
HEALTHCHECK --interval=60s --timeout=10s --start-period=5s --retries=3 \
CMD /opt/certscanner/certscanner -version || exit 1
# Run ISE integration service
CMD ["/opt/certscanner/ise-integration.py"]Deploy TYCHON Quantum Readiness ISE integration in Kubernetes:
apiVersion: apps/v1
kind: Deployment
metadata:
name: certscanner-ise-integration
namespace: security-tools
spec:
replicas: 2
selector:
matchLabels:
app: certscanner-ise
template:
metadata:
labels:
app: certscanner-ise
spec:
containers:
- name: certscanner-ise
image: your-registry/certscanner-ise:latest
env:
- name: ISE_HOSTNAME
valueFrom:
secretKeyRef:
name: ise-credentials
key: hostname
- name: ISE_ERS_USERNAME
valueFrom:
secretKeyRef:
name: ise-credentials
key: username
- name: ISE_ERS_PASSWORD
valueFrom:
secretKeyRef:
name: ise-credentials
key: password
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-credentials
key: access-key
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-credentials
key: secret-key
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
livenessProbe:
exec:
command:
- /opt/certscanner/certscanner
- -version
initialDelaySeconds: 30
periodSeconds: 60
---
apiVersion: v1
kind: Service
metadata:
name: certscanner-ise-service
namespace: security-tools
spec:
selector:
app: certscanner-ise
ports:
- port: 8080
targetPort: 8080
type: ClusterIPAdd crypto-related custom attributes to ISE endpoint schema
Configure pxGrid client for real-time session notifications
Build policy rules based on crypto risk scoring
Install TYCHON Quantum Readiness ISE integration as a service
Validate policy enforcement and monitor crypto compliance
# Test ISE + TYCHON Quantum Readiness integration (Windows)
.\certscanner-windows-amd64.exe -target YOUR_TEST_HOST `
-output-format json `
-upload-s3 `
-s3bucket ise-crypto-reports `
-s3keyprefix ise-integration-test
if ($LASTEXITCODE -eq 0) {
python ise-integration.py --test-mode
}# Test ISE + TYCHON Quantum Readiness integration (Linux)
./certscanner-linux-x64 -target YOUR_TEST_HOST \
-output-format json \
-upload-s3 \
-s3bucket ise-crypto-reports \
-s3keyprefix ise-integration-test \
&& python3 ise-integration.py --test-mode# Test ISE + TYCHON Quantum Readiness integration (macOS)
# For Intel Macs:
./certscanner-darwin-amd64 -target YOUR_TEST_HOST \
-output-format json \
-upload-s3 \
-s3bucket ise-crypto-reports \
-s3keyprefix ise-integration-test \
&& python3 ise-integration.py --test-mode
# For Apple Silicon Macs:
./certscanner-darwin-arm64 -target YOUR_TEST_HOST \
-output-format json \
-upload-s3 \
-s3bucket ise-crypto-reports \
-s3keyprefix ise-integration-test \
&& python3 ise-integration.py --test-mode