Integrating a Edge SWG (ProxySG) with Cisco Identity Services Engine (ISE) should be possible, since the ISE would be set up on the Proxy as a RADIUS server, and the Edge SWG (ProxySG) supports RADIUS authentication. 

SG/ASG/ISG-Proxy; Cisco ISE

Here’s an outline of how this integration can be accomplished:

Integrating a Edge SWG (ProxySG) with Cisco Identity Services Engine (ISE) should be possible, since the ISE would be set up on the Proxy as a RADIUS server, and the Edge SWG (ProxySG) supports RADIUS authentication. Here’s an outline of how this integration can be accomplished:

Steps for Integration

• Configure Cisco ISE for ProxySG Communication:

• • Add the Edge SWG (ProxySG) as a Network Device:

• • • Go to the Cisco ISE administration interface.
    • Navigate to Administration > Network Resources > Network Devices.
    • Add a new device and enter the necessary details such as the IP address of the ProxySG and a shared secret (used for RADIUS communication).

• Enable RADIUS on the Edge SWG (ProxySG):

• • Configure ProxySG to Use Cisco ISE as a RADIUS Server:

• • • Log into the Edge SWG (ProxySG) management console.
    • Navigate to Configuration > Authentication > RADIUS.
    • Add a new RADIUS server with the IP address of the Cisco ISE server and the shared secret you configured in ISE.
  • Ref.: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/getting-started/page-help-configuration/page-help-authentication/about-radius/radius-servers.html 

• Policy Configuration on the Edge SWG (ProxySG):

• • Define Authentication and Authorization Policies:

• • • Go to Configuration > Policy.
    • Define policies to specify which traffic needs to be authenticated.
    • Create rules to use RADIUS for user authentication.

• Send Authentication Requests to ISE:

• • Ensure that the policies on the Edge SWG (ProxySG) are configured to send authentication requests to Cisco ISE using RADIUS.

• Configure Policy Sets on Cisco ISE:

• • Create Policy Sets for ProxySG:

• • • Go to Policy > Policy Sets.
    • Create a new policy set that matches the authentication requests coming from the Edge SWG (ProxySG).
    • Define authentication policies (e.g., RADIUS-based) and authorization policies to determine what actions to take based on user identity and group membership.

• Testing and Verification:

• • Test the Integration:

• • • Access a resource through ProxySG that requires authentication.
    • Verify that the authentication request is sent to Cisco ISE.
    • Check logs on both the Edge SWG (ProxySG) and Cisco ISE to ensure the integration is working correctly.
    • Validate that policies on ISE are being enforced as expected.

Additional Considerations

Certificates: Ensure that any necessary certificates are properly configured on both ProxySG and Cisco ISE to secure the communication.

Logging and Monitoring: Implement logging and monitoring on both devices to track authentication attempts and policy enforcement.

Troubleshooting: If issues arise, use the logging features on both devices to identify and resolve configuration errors or communication problems.

By following these steps, you can successfully integrate Blue Coat ProxySG with Cisco ISE to leverage enhanced authentication, authorization, and accounting (AAA) capabilities for web traffic passing through the Edge SWG (ProxySG) appliance.

Notes:

To debug RADIUS authentication on the Edge SWG (ProxySG) appliance, you need to follow a series of steps to ensure you gather the necessary information and troubleshoot effectively. Here's a detailed guide:

Steps to Debug RADIUS Authentication on the Edge SWG (ProxySG)

1. Enable RADIUS Logging:
    
   • Access the Edge SWG (ProxySG) Management Console.
   • Go to Configuration > Authentication > RADIUS.
   • Ensure that logging for RADIUS events is enabled. This might involve setting the logging level to a more verbose setting to capture detailed information.
2. Check RADIUS Server Configuration:
   • Verify that the RADIUS server settings (IP address, port, shared secret) are correctly configured on the ProxySG.
   • Ensure that the RADIUS server is reachable from the Edge SWG (ProxySG) appliance.

3. Review Policy Configuration:

   • Go to Configuration > Policy > Policy Files.
   • Review the policy rules related to authentication to ensure they are correctly referencing the RADIUS authentication realm.
   • Ensure the authentication policy is correctly applied and active.

4. Enable Debug Logging:

   • Go to Configuration > Policy > Policy Options.
   • Enable debug logging for authentication-related events. This can typically be set to a debug or trace level.

5. Monitor Real-Time Logs:

   • Go to Statistics/Reports > Access Logging > View Logs.
   • Monitor the real-time logs to see the authentication attempts and any related messages.
   • Look for entries that show the RADIUS requests and responses.
     
     
6. Collect the auth debug log on the Edge SWG (ProxySG), with web authentication tested. Ref.: https://knowledge.broadcom.com/external/article/166436/collecting-authentication-debug-log.html. This logs the authentication process.

There's no documented way to monitor config changes made on the Cisco ISE, from the Edge SWG (ProxySG) appliance

Where required, for troubleshooting anything on the Cisco ISE, please refer to your Cisco ISE team.