https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589286#M496398 <HTML><HEAD></HEAD><BODY><P>Hey Chao,</P><P></P><P>Hsing-Tsu is correct, this is expected behavior.&nbsp; Please see: <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html" title="https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html">https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html</A></P><P></P><P>"<SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;">If the TS Agent monitors the same users as another passive authentication identity source (the User Agent or ISE), the Firepower Management Center prioritizes the TS Agent data. If the TS Agent and a passive identity source report activity by the same IP address, only the TS Agent data is logged to the Firepower Management Center"</SPAN></P><P></P><P>Thanks,</P><P>John</P><P><A class="jive-link-email-small" href="mailto:jeppich@cisco.com">jeppich@cisco.com</A></P></BODY></HTML> Fri, 06 Jul 2018 23:09:55 GMT jeppich 2018-07-06T23:09:55Z https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589282#M496394 <HTML><HEAD></HEAD><BODY><P>i got TS agent working with ISE 2.2 .</P><P>on ISE 2.2, I can see the User ID, IP and Port range mapping in live session table.</P><P><IMG alt="sl.JPG" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/118179_sl.JPG" style="height: 165px; width: 620px;" /></P><P>But on FMC, it doesnt show these information.</P><P><IMG alt="slfmc.JPG" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/118180_slfmc.JPG" style="height: 126px; width: 620px;" /></P><P></P><P>If i use TS agent directly sent to FMC, it will work. </P><P><SPAN style="font-size: 13.3333px;">Is this some kind of&nbsp; bug between ISE and FMC? </SPAN></P><P><SPAN style="font-size: 13.3333px;">Because TS agent only allow to send mapping to 2 servers, if we need to see all user identity information on ISE and also works on FMC, so we have to send to both ISE and FMC, we will lose redundancy.</SPAN></P><P><SPAN style="font-size: 13.3333px;">it doesnt make sense. <BR /></SPAN></P></BODY></HTML> Fri, 06 Jul 2018 18:48:01 GMT https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589282#M496394 csco11552159 2018-07-06T18:48:01Z https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589283#M496395 <HTML><HEAD></HEAD><BODY><P>I think it might be expected at present. I will check with our teams.</P></BODY></HTML> Fri, 06 Jul 2018 21:23:17 GMT https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589283#M496395 hslai 2018-07-06T21:23:17Z https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589284#M496396 <HTML><HEAD></HEAD><BODY><P>Thank you.</P><P>and on FMC, in this way will only keep the last user login.</P></BODY></HTML> Fri, 06 Jul 2018 21:36:12 GMT https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589284#M496396 csco11552159 2018-07-06T21:36:12Z https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589285#M496397 <HTML><HEAD></HEAD><BODY><P>Some info from our PM indicated that our teams are still working on this to make it more consumable.</P></BODY></HTML> Fri, 06 Jul 2018 23:08:13 GMT https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589285#M496397 hslai 2018-07-06T23:08:13Z https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589286#M496398 <HTML><HEAD></HEAD><BODY><P>Hey Chao,</P><P></P><P>Hsing-Tsu is correct, this is expected behavior.&nbsp; Please see: <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html" title="https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html">https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html</A></P><P></P><P>"<SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;">If the TS Agent monitors the same users as another passive authentication identity source (the User Agent or ISE), the Firepower Management Center prioritizes the TS Agent data. If the TS Agent and a passive identity source report activity by the same IP address, only the TS Agent data is logged to the Firepower Management Center"</SPAN></P><P></P><P>Thanks,</P><P>John</P><P><A class="jive-link-email-small" href="mailto:jeppich@cisco.com">jeppich@cisco.com</A></P></BODY></HTML> Fri, 06 Jul 2018 23:09:55 GMT https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589286#M496398 jeppich 2018-07-06T23:09:55Z https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589287#M496399 <HTML><HEAD></HEAD><BODY><P>hi John &amp; Hsing-Tsu,</P><P>So in order FMC to have correct User ID, port and IP mapping, <SPAN style="font-size: 10pt;">TS-Agent directly send to FMC? like this: </SPAN></P><P>TS-Agent---&gt;FMC</P><P>ISE---(pxgrid)---&gt;FMC </P><P></P><P></P><P>the way we try to do is :&nbsp; </P><P></P><P>TS-Agent---&gt;ISE ----(pxgrid)---&gt;FMC.</P><P></P><P>We can use TS-Agent to send mapping to ISE, then we should easily send all ID mapping to FMC via pxgrid including regular mapping and TS ports mapping. this more make sense.</P><P></P><P><SPAN style="font-size: 10pt;">Will this way work? </SPAN></P></BODY></HTML> Sat, 07 Jul 2018 02:00:12 GMT https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589287#M496399 csco11552159 2018-07-07T02:00:12Z https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589288#M496400 <HTML><HEAD></HEAD><BODY><P>Unfortunately it's not quite there yet.</P><P>I would suggest you to use TS-Agent =&gt; FMC for now, while the solution is still being evolved and developed for the other route.</P></BODY></HTML> Sat, 07 Jul 2018 02:51:47 GMT https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589288#M496400 hslai 2018-07-07T02:51:47Z https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589289#M496401 <HTML><HEAD></HEAD><BODY><P>thank you.</P><P>i will send to FMC for now. hopefully some changes coming soon.</P></BODY></HTML> Tue, 10 Jul 2018 13:04:32 GMT https://community.cisco.com/t5/network-access-control/ise-cannot-sent-ts-port-range-to-fmc/m-p/3589289#M496401 csco11552159 2018-07-10T13:04:32Z