https://community.cisco.com/t5/network-access-control/ise-pic-support-for-multiple-tenants-with-fmc/m-p/3579767#M509058 <HTML><HEAD></HEAD><BODY><P>Hello Dave, </P><P></P><P>ISE-PIC supports 100 DC today. FMC gets to know about the group mapping learnt from AD. </P><P>you can verify in ISE under live sessions and check&nbsp; the&nbsp; IP mapping which is sent to FMC via PxGrid. </P><P></P><P>Please find more details from the link here- <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210522-Configure-ISE-2-2-PIC-with-Active-Direct.html" title="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210522-Configure-ISE-2-2-PIC-with-Active-Direct.html">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210522-Configure-ISE-2-2-PIC-with-Active…</A></P><P></P><P>Thanks,</P><P>Nidhi</P></BODY></HTML> Wed, 13 Jun 2018 15:24:37 GMT Nidhi 2018-06-13T15:24:37Z https://community.cisco.com/t5/network-access-control/ise-pic-support-for-multiple-tenants-with-fmc/m-p/3579766#M509055 <HTML><HEAD></HEAD><BODY><P>Hi Team,</P><P></P><P>I have multiple tenants (government agencies) that are managed by a single FMC (and multiple FTD instances per tenant).&nbsp; Each tenant has overlapping addressing and NAT is used heavily to present FMC with unique address space as well as for routing their traffic up to a shared Internet Gateway.</P><P></P><P>There is a requirement to use identity-based AC policy rules in FMC/FTD.</P><P></P><P>What is the best way to provide user/IP mappings via ISE-PIC??</P><P></P><P>Can a single ISE-PIC support AD Forest/Domain connections to multiple tenants??</P><P>How would ISE-PIC present the IP mappings?? (ie would it be the original un-NAT'd IP??).&nbsp; If so, how does FMC interpret the potentially overlapping user/IP mappings from ISE-PIC if mapped to a single realm thats mapped to a single identity policy to a single AC policy??</P><P></P><P>Thanks and kind regards,</P><P><BR />Dave.</P></BODY></HTML> Wed, 13 Jun 2018 13:03:27 GMT https://community.cisco.com/t5/network-access-control/ise-pic-support-for-multiple-tenants-with-fmc/m-p/3579766#M509055 dadelima 2018-06-13T13:03:27Z https://community.cisco.com/t5/network-access-control/ise-pic-support-for-multiple-tenants-with-fmc/m-p/3579767#M509058 <HTML><HEAD></HEAD><BODY><P>Hello Dave, </P><P></P><P>ISE-PIC supports 100 DC today. FMC gets to know about the group mapping learnt from AD. </P><P>you can verify in ISE under live sessions and check&nbsp; the&nbsp; IP mapping which is sent to FMC via PxGrid. </P><P></P><P>Please find more details from the link here- <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210522-Configure-ISE-2-2-PIC-with-Active-Direct.html" title="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210522-Configure-ISE-2-2-PIC-with-Active-Direct.html">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210522-Configure-ISE-2-2-PIC-with-Active…</A></P><P></P><P>Thanks,</P><P>Nidhi</P></BODY></HTML> Wed, 13 Jun 2018 15:24:37 GMT https://community.cisco.com/t5/network-access-control/ise-pic-support-for-multiple-tenants-with-fmc/m-p/3579767#M509058 Nidhi 2018-06-13T15:24:37Z