topic Re: FMC Integration with ISE pxGrid with machine based authentication in Network Access Control

FMC Integration with ISE pxGrid with machine based authentication

ele203026 — Thu, 23 Sep 2021 06:06:19 GMT

Hi,

Is there anyone that can point me in the right direction of how to create access policies on FMC based on information from pxGrid, when ISE is using machine-based authentication? From what I learnt, since machine authentication logs the user as host/userid, this information is not usable by FMC.

ISE 3.0, FMC 6.7.

Any suggestion will be appreciated.

Thanks

Re: FMC Integration with ISE pxGrid with machine based authentication

Timothy Abbott — Thu, 23 Sep 2021 14:24:03 GMT

Hi,

I'm checking on the details of machine authentication information being shared via pxGrid but it sounds like the problem is a limitation with FMC itself. You'll need to reach out to the FMC team on how / when that use case is supported.

Regards,

-Tim

Re: FMC Integration with ISE pxGrid with machine based authentication

ele203026 — Thu, 23 Sep 2021 14:38:18 GMT

thanks Tim,

Does this mean Im limited to PEAP authentication only when using ISE active authentication? Or do you know of any other option?

What do you mean by reach out to the FMC team? Through an official Tac case?

Re: FMC Integration with ISE pxGrid with machine based authentication

Rob Ingram — Thu, 23 Sep 2021 16:47:05 GMT

@ele203026 I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.

I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.

Re: FMC Integration with ISE pxGrid with machine based authentication

ele203026 — Sat, 25 Sep 2021 20:14:31 GMT

Thanks for your response, Rob.

Using the computer ID in the ISE access rule will defeat the ability to log activities based on the user name. I might be limited to using SGT here. What I'm shying from is having to break down the domain computer/authenticated user rule on ise to multiple domain computer/ad-groups, to assign different SGTs per AD group, so I can create AD group based controls on FMC.

Re: FMC Integration with ISE pxGrid with machine based authentication

~Saj~ — Thu, 02 Feb 2023 06:27:24 GMT

Hi Experts,

Any update on this behaviour? I'm having a similar issue. I think it's more along the lines discussed in this thread.

Brief info on the setup:

Windows desktops authenticate using the device auth cert to ISE
Passive ID using to get the User to IP mappings from AD
The same information is passed to FMC through the PxGrid

In the FMC, we can see the User to IP mapping for clients with Device Auth. However, an identity-based policy not working for users with device auth. why can FMC not execute an identity-based rule when the User to IP mapping details are available?

Users with PEAP auth do work fine with the identity-based rules.