Introduction

pxGrid 2.0, introduced in Cisco Identity Services Engine (ISE) 2.3, brings several key improvements and enhancements over the original pxGrid framework, making it more robust, scalable, and easier to deploy. One of the most significant improvements is the shift to a more modern, REST-based API, which simplifies integration with third-party security solutions and network devices, allowing for faster and more flexible communication between different systems. pxGrid 2.0 now operates using REST and WebSocket protocols, providing a modern approach to application-to-application communication.

The initial pxGrid server used the Extensible Messaging and Presence Protocol (XMPP), which, although once popular, had significant limitations for application messaging. For example, the publish-subscribe (pubsub) model required costly modifications to all XML messages, burdening both servers and clients. The XCP server, a common XMPP implementation, was designed for chat-like messages, which is not ideal for application communications that often require large data streams. XMPP required complete message construction before transmission, resulting in high memory demands. To address these issues, pxGrid introduced an out-of-band mechanism using REST, which led to inconsistent services. Moreover, XMPP required a complex client SDK with limited programming language support, adding to the learning curve for developers.

This is where REST and WebSocket protocols offer significant improvements. Both are simple, widely supported, and industry-standard for application communication. WebSocket enables fast, scalable bi-directional data transfer, while REST facilitates quick, extensible querying—all over the same interface. In pxGrid 2.0, WebSocket handles pubsub components, while REST manages one-shot queries, with messages now formatted in simpler JSON.

WebSocket dramatically improves pxGrid’s performance and scalability. Previously, a pxGrid server with one active subscriber could handle only 20,000 KB/s, decreasing performance as more subscribers were added. With WebSocket, pxGrid can support significantly higher data rates, allowing multiple pxGrid servers to actively serve clients simultaneously. Each server now supports 150 clients at a combined rate of 100,000 KB/s. In ISE 2.3, two active pxGrid servers are recommended, and later versions support up to four pxGrid servers.

Navigating the pxGrid Services Dashboard

Navigate to Administration>pxGrid Services>Summary to view the pxGrid dashboard.

This will display high-level information about the following:

  • Active Connections:
    • Pubsub connections – This displays the number of active Pubsub connections to pxGrid. Some of these might be internal to ISE.
    • Control Messages – The number of control messages received in the last hour for authentication, authorization, and service discovery
    • Rest API – Number of Rest API messages received from clients who connect through WebSockets of XMPP in the last hour.
    • PubSub ThroughputThis tells you the amount of data published to pxGrid clients. It is extremely helpful for scaling your pxGrid deployment and a much-needed addition.
  • Total Clients – Number of pending and approved pxGrid clients.
  • Errors – The total number of transmission errors in which the client asked for data transfer to restart in the last hour as well as a list of the recent messages.

On the Clients tab, several options are on the left-hand side.

On the Clients page, we can do the following:

  • Manually approve/decline pending pxGrid clients
  • Add a pxGrid client to a group

The Policy page is where we can see the services/policies available to pxGrid clients. We may also create new policies here as well.

The default services are:

  • com.cisco.ise.radius
  • come.cisco.ise.sxp
  • com.cisco.ise.trustsec
  • com.cisco.ise.session
  • com.cisco.ise.system
  • com.cisco.ise.mdm
  • com.cisco.ise.config.trustsec
  • com.cisco.ise.config.profiler
  • com.cisco.ise.pxgrid.admin
  • com.cisco.ise.config.deployment.node
  • com.cisco.ise.endpoint
  • com.cisco.ise.config.anc
  • com.cisco.ise.dnac
  • com.cisco.ise.config.upn
  • com.cisco.ise.pubsub

The default operations are as follows:

  • <ANY>
  • publish /topic/com.cisco.ise.session – This publishes session information
  • publish /topic/com.cisco.ise.identity.group – Allows the pxGrid client to subscribe to the ISE-published identity topics and receive notifications.
  • publish /topic/com.cisco.ise.anc – Allows the pxGrid client to retrieve all ANC policies and associated actions

The Group page is where you can add or modify groups. Groups can be used with pxGrid clients to limit their access to services.

The Certificates page is where we can generate new certificates for pxGrid clients using ISE’s internal CA.

We will save the pxGrid Cloud Connection and pxGrid Cloud Policy pages for future posts.

Navigate to the Diagnostics tab. This is where we can get rich information and troubleshoot issues with pxGrid.

The Websockets page under Diagnostics lists all pxGrid 2.0 clients internal to ISE and external.

The Logs page lists various management events.

The Tests page is interesting: It allows you to run tests to see whether a client can access the Session Directory service and a general health monitoring test. This is excellent for troubleshooting.

The Settings tab is the last tab we will look at. There are only two settings:

  • Automatically approve new certificate-based accounts – I will check this box since this is a lab. Depending on your risk profile, you may want to keep this box unchecked in production.
  • Allow password based account creation – This is an option for legacy devices. I have never had to turn this on but there might be corner cases.

Click Save.