topic Re: Active Auth/Passive ID/pxGrid Question in Network Access Control

Active Auth/Passive ID/pxGrid Question

paul — Tue, 23 Jan 2018 21:52:54 GMT

I wanted to check out how identity mapping should work in the following situation which is a common setup we use at customers:

From a network perspective, many customers just want to make sure that connecting devices are managed by the company. For domain joined devices the simplest way to ensure that is PEAP/Computer. So in active authentication, the identity mapping would be IP to computer name.
For external systems like Stealthwatch/FMC, the desired identity mapping is IP to username. So we either need to change the active authentication scheme or utilize Passive ID to get the IP to username mapping.

My question is how does ISE resolve the discrepancy between the active auth having IP to computer and passive ID having IP to username? Or does ISE just feed all the information over pxGrid and let the connected systems figure it out?

I have had mixed results testing, but need to do more testing.

Any thoughts would be appreciated.

Re: Active Auth/Passive ID/pxGrid Question

Timothy Abbott — Wed, 24 Jan 2018 15:05:26 GMT

ISE simply publishes the information it receives to pxGrid. It is then up to the subscribers to handle the data. For a session to be created during active authentication; ISE must have the MAC address of the endpoint. Once it has that, it will continue to add information as it come in (IP / hostname / username, etc). Passive ID requires a username and an IP address to build a session. If it gets a MAC address first it will hold that information in memory until it can match it to a username and IP. Once the required information is obtained for either active or passive auth, it will publish to pxGrid subscribers. HTH.

Regards,

-Tim

Re: Active Auth/Passive ID/pxGrid Question

Jason Kunst — Wed, 24 Jan 2018 15:25:03 GMT

right and from another user "

ISE sends whatever the data it has in the Endpoint ID field of the session table. Its typically one ID, (could be Active directory user or computer account name), will be two IDs in case of Easy connect (Mac address, user-id). The partner system, like Stealthwatch would have 3 entries in an Easy Connect session, the endpoint’s mac address, mac-&-user-id and user-id alone mapped to the IP address, however the most current id to IP address mapping will be marked “current”.

That's my observation with ISE and Stealthwatch integration with Easy Connect."

If you're getting inconsistency might be a bug, i also asked others to take a look

Re: Active Auth/Passive ID/pxGrid Question

jeppich — Wed, 24 Jan 2018 17:40:01 GMT

Hey Paul,

When testing with FMC & Stealthwatch, please note the version numbers and release notes FMC had some issues when using passive identity, when a user loved on to AD, the mapping was correct. After 802.1X re-auth occurred, the previous user mapping was overwritten by the machine mapping, an the identity rules on the FMC no longer worked.

Thanks,

John

jeppich@cisco.com

Re: Active Auth/Passive ID/pxGrid Question

paul — Wed, 24 Jan 2018 18:05:41 GMT

That is one of my main concerns. The 802.1x reauth messing up the identity mappings in FMC/Stealthwatch. Sounds like you have confirmed this to be a valid concern.

Is that fixed in newer version of FMC? Is Stealthwatch abled handle the 802.1x reauth even okay?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: Active Auth/Passive ID/pxGrid Question

jeppich — Wed, 24 Jan 2018 18:42:33 GMT

Hey Paul,

Let me back with you on the status and versions of FMC and look in Stealthwatch, I'm on travel this week and next week, so my responses may be delayed.

Thanks,

John

jeppich@cisco.com

Re: Active Auth/Passive ID/pxGrid Question

raymondmf — Tue, 01 Oct 2019 17:41:45 GMT

Just enabled PX-GRID and Stealthwatch as a subcriber. We are doing dot1.x authentication and MAB on certain devices. Information for dot1.x devices are not being seen in Stealthwatch. Running SW 7.1.1. Any thought?