topic Re: Identity Service Through Cisco ISE in Network Access Control

Identity Service Through Cisco ISE

MSJ1 — Tue, 08 Jun 2021 15:50:44 GMT

Hello,

I need some suggestions / guideline regards to one of my query as below.

my client wants to use Cisco ISE to be identity provider for some of local firewalls ( FMC ) to allow AD Based rule for the Firewalls Managed by FMC. What I need to configure for this to happen ? Can you suggest ?

Currently there are AD Connection with ISE for other solutions ( anyconnect ) , but firewalls they are trying to use has no relation with ISE for any solution perspective. For those Firewalls they just want to use ISE as Identity Provider so that they can use AD Based Rule at those Firewalls.

Re: Identity Service Through Cisco ISE

mohanB — Tue, 08 Jun 2021 19:43:58 GMT

Recently had to do this. In brief, you can use ISE-PIC (can be separate node or can be enable in existing node as a persona), which basically is identity source, on the backend it can integrate with ADs using WMI (few other methods are out there as well) to receive user login information, which then it can use to build user id to IP address mapping. This information then can be passed to FMC using pxGrid protocol. Once you have the FMC configured with realms and can download users and groups, and have user-IP mapping from pxGrid. Then you can code firewall rule using AD user and group. Once traffic matches the identity rule, it looks up to see if it matches the identity conditions and access rule can be coded to allow or deny that traffic.

Obviously as always, better to plan the resources need appropriately and if separate ISE-PIC node needs to be deployed or not

Re: Identity Service Through Cisco ISE

Peter Koltl — Thu, 10 Jun 2021 21:03:41 GMT

Is ISE aware of all user session’s IP addresses? (E. g. by means of 802.1X) If not, FMC should query the AD and use AD directly as identity source. Thus, pxGrid may not be necessary between ISE and FMC.

Re: Identity Service Through Cisco ISE

MSJ1 — Thu, 10 Jun 2021 21:55:31 GMT

Hello Peter,

How I can validate below ? I know that ISE I am using is used for one existing VPN as Identity Sources ( i.e FMC - FMC is the manager for VPN Firewall )

"Is ISE aware of all user session’s IP addresses? "

Re: Identity Service Through Cisco ISE

hslai — Mon, 14 Jun 2021 01:07:50 GMT

I think mohanB is correct. That is, ISE can learn the users' IP addresses passively through the Passive Identity service.