https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3951074#M1011036 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/206554">@belgarioz</a> you can use the commands <STRONG><EM>adi_cli session</EM></STRONG> and <EM><STRONG>OmniQuery.pl</STRONG></EM>. Guide <A href="https://integratingit.wordpress.com/2019/10/26/ftd-user-identity/" target="_self">here</A>.</P> Thu, 31 Oct 2019 11:25:36 GMT Rob Ingram 2019-10-31T11:25:36Z https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3798067#M1011033 <P>ISE version 2.1</P> <P>FMC version 6.1</P> <P>Running into an issue getting SGT mappings to be pushed to the sensors from my FMC. I believe I have identified the issue, but wanted to see if anyone has ran into this before or got it working.</P> <P>Here is what I am experiencing:</P> <P>User connects to wireless, and authenticates using EAP-FAST (user+machine)</P> <P>ISE assigns an SGT per AuthZ policy</P> <P>FMC gets user/machine login event and SGT from ISE (screenshot below)</P> <P>FMC doesn't push the SGT mapping to the sensors - I believe because the username received from ISE is in the form of '&lt;username&gt;/host/&lt;machine&gt;', and it isn't able to find that in the AD Realm. (screenshot below)</P> <P>If I authenticate using just username and not machine (PEAP+MSCHAPv2 for example) everything works as expected - FMC gets SGT, pushes to sensor, Access Control Policy applied properly.</P> <P>I found a bug that is kinda related to what I am seeing, but the workaround listed is basically what I am already doing. <A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd73842" target="_blank">CSCvd73842</A></P> <P>Screenshots:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/29717iE8EEE5155B5BB156/image-size/large?v=v2&amp;px=999" role="button" title="1.PNG" alt="1.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/29716i20D919144AD934E4/image-size/large?v=v2&amp;px=999" role="button" title="2.PNG" alt="2.PNG" /></span></P> <P>Any thoughts or experience is appreciated.</P> <P>&nbsp;</P> <P>-Thanks</P> Fri, 21 Feb 2020 16:47:20 GMT https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3798067#M1011033 Daniel Lucas 2020-02-21T16:47:20Z https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3844036#M1011034 <P>Hi,</P><P>before Firepower 6.2.0 you need to have Realm, which validate username received from ISE and after that there was pushed mapping SGT-IP to FTD device. As you write you are running 6.1 ..</P><P>After 6.2.0 you don't need realm to validate username to be able push SGT-IP mapping to device ..</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html</A></P><P>...check Table1</P><P>&nbsp;</P><P>Because you are using EAP-FAST (user+device), FMC see all that string as one "user" ID, and this is not in AD at all. Actually there is no way how to validate EAP-FAST identity (user+device) against any Realm (there is no possibility of parsing identity on FMC (received by pxgrid) nor ISE platform (before pxgrid)..).</P><P>(I am in same situation .. lot of discussions with Cisco SE about that... no solution till now).</P><P>&nbsp;</P><P>If it is enougth for you use SGT tags in ACL, it can be useful migrate to 6.2.0 or later.</P><P>Regards,</P><P>Vladimir</P><P>&nbsp;</P> Wed, 24 Apr 2019 11:01:03 GMT https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3844036#M1011034 vlmacko 2019-04-24T11:01:03Z https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3951017#M1011035 <P>Hello,</P><P>&nbsp;</P><P>I kinda have same problem with 6.4.0.x, SGT tags assigned to ISE but no TAG passed to FMC.<BR />But this doesn't apply to everybody, just some clients randomly and we suspect it's something hidden inside it's network.<BR />I just don't know how to provide a good troubleshoot apart from dump_user file in FTD and grepping vdi.radius on /var/log/messages</P> Thu, 31 Oct 2019 10:07:40 GMT https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3951017#M1011035 belgarioz 2019-10-31T10:07:40Z https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3951074#M1011036 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/206554">@belgarioz</a> you can use the commands <STRONG><EM>adi_cli session</EM></STRONG> and <EM><STRONG>OmniQuery.pl</STRONG></EM>. Guide <A href="https://integratingit.wordpress.com/2019/10/26/ftd-user-identity/" target="_self">here</A>.</P> Thu, 31 Oct 2019 11:25:36 GMT https://community.cisco.com/t5/network-security/fmc-ise-integration-sgt/m-p/3951074#M1011036 Rob Ingram 2019-10-31T11:25:36Z