PPS and Nozomi Networks Integration

Overview

Nozomi Networks has the capability to fetch details of ICS devices managed by Operational Technology. Operational technology devices include valves, transmitters, switches, sensors and actuators. These devices rely on custom protocols for managing and communication.

Nozomi Networks provides detailed information about OT devices like device category, OS, manufacturer, firmware version and so on. PPS integration with Nozomi Networks allows the retrieval of OT device details and use them for network segmentation by assigning enforcement policies based on VLAN or ACLs.

This section describes how to integrate Nozomi Networks device with PPS.

The authentication process is described below when PPS is configured for MAC address authentication:

1.Whenever a device tries to connect to the network, MAC Authentication request is generated to PPS. PPS can query Nozomi Networks for device attributes using device identifier like MAC address.

2.The retrieved attributes can be used in role mapping rules to determine role of the device. Based on the assigned role, device can be put in specific VLAN or ACL policies can be applied.

3.PPS periodically queries the Nozomi Networks for change in attributes and assigns the role accordingly.

Summary of Configurationtion

Configuring PPS with Nozomi Networks

A high-level overview of the configuration steps needed to set up and run the integration is described below:

The Administrator configures the basic PPS configurations such as creating an authentication server, authentication realm, user roles, and role mapping rules.

Configure Nozomi Networks as HTTP attribute server in PPS.

Configure the Switches/WLC as RADIUS Client in PPS (Endpoint Policy > Network Access > Radius Clients > New Radius Client). Switch should be configured with PPS as a RADIUS server.

Configured HTTP attribute server has to be mapped as a "Device Attributes" under the realm configuration and role mapping rules can be used to assign the roles based on the attributes received from the attribute server.

1.Configure Nozomi Networks as HTTP attribute server in PPS Configuring HTTP Attribute Server

2.Select Endpoint Policy > MAC Address Realms, click New to create the authentication realm. Under Device Attributes, select the Nozomi HTTP attribute server created earlier or User Realms > Users > General, select the Nozomi Networks server created in Device Attributes

3.Configure rules based on Device Attributes from Endpoint Policy > MAC Address Realms and click Role Mapping > Role Mapping Rule. Create a new rule, select Rule based on: Device Attribute and click Update or User Realms > Users > Role Mapping > Role Mapping Rule.

4.Click Save Changes.

Once the role mapping rule is created. You can see the summary page as shown below. The following page shows the different rules created with the corresponding roles assigned.

MAC Address is used as a device identifier to query attributes from Nozomi Networks. Without Host Checker, PPS doesn't learn the MAC address. For agent less sessions, Host Checker should be enabled to learn MAC address. For Agentless sessions/logins, pre-auth Host Checker must be enabled.