topic ISE Integration with Stealthwatch in Network Access Control

ISE Integration with Stealthwatch

jatedesc — Mon, 16 Dec 2019 03:09:56 GMT

I have a customer who is currently running ISE and Stealthwatch Enterprise. Within the Stealthwatch console user names can been seen when using PEAP authentication in ISE.

The customer has now moved to machine certificates and now the usernames are longer seen in Stealthwatch. I have been advised to get the user details we will need to have user certs deployed. Is this correct?

Is there an alternative way to obtain the user information?

Thanks.

Re: ISE Integration with Stealthwatch

Francesco Molino — Mon, 16 Dec 2019 04:22:26 GMT

Hi

You need to have a user authentication/information in ISE to be consumed by Stealthwatch.

Today if you have machine authentication only, you can have the following options to gain usernames in ISE:
- eap-chaining with anyconnect
- dual authentication (machine and user)
- ise passive id: keep the machine authentication and when the user logs in, it will be an exchange of information between ise and ad

For the first 2 options, yes you can deploy certificates and use them to authenticate users.

Re: ISE Integration with Stealthwatch

Damien Miller — Mon, 16 Dec 2019 04:22:52 GMT

Consider a few approaches to this and see if any are viable. User certificates are not a hard requirement, but we still have to gather the user some way.

1. Install AnyConnect NAM with EAP chaining to replace the native supplicant. Performing both machine and user authentication at the same time.

2. Leverage machine and then user authentication with a native supplicant. Machine when no user is logged in, user once a user logs in.

3. Consider implementing the passive identity connector (ISE-PIC), collecting user data out of band/passively for use with the integration.