topic Re: FTD via FDM in Network Security

FTD via FDM

jebankshrcu — Wed, 06 Mar 2024 20:06:51 GMT

Hi All,

I have been having a hard time to integrate ISE with my Cisco FTD since most of the articles covers using the FMC. For my FTD device I am using FDM not FMC. What I am trying to accomplish is to block web whatsapps by user usage. I have been able to integrate AD to my FTD but after a debug done with cisco tac they said I need ISE for the mapping of IP to user since the below log is showing the highlighted error.

> 157.240.14.52 443 6 AS=0 ID=1 GR=1-1 no match rule order 1, 'WhatsAppBlocking', user 9999999, realm 0

I have integrated ISE in my environment already but am stuck in the certification part. From what i understand I should enable pxgrid which i have already in ISE and generated the necessary certs for it but now on my FTD device side am only able to upload my CA certificate but am not able to generate my own cert in my FTD device.

Re: FTD via FDM

Rob Ingram — Wed, 06 Mar 2024 20:09:34 GMT

@jebankshrcu use openssl from the CLI of the FTD to generate the CSR, as per this guide:-

https://integratingit.wordpress.com/2021/11/06/fdm-pxgrid-integration-with-ise/

Re: FTD via FDM

jebankshrcu — Wed, 06 Mar 2024 20:24:46 GMT

Hi Rob:

Forgive my ignorance here. So for ISE to have this information for the IP mapping. I would need to have the end-user devices authenticate from the access switch to ISE via 802.1x which then that info there is what will be used to send to my FTD? Does my end-user devices (meaning laptops, desktop etc) have that connectivity to ISE for this to work?

Re: FTD via FDM

Rob Ingram — Wed, 06 Mar 2024 20:30:12 GMT

@jebankshrcu yes, the users authenticate via wired or wireless using ISE as the RADIUS server, which then sends the IP/user bindings to the FMC, and in turn sends these bindings to the FTD. If you add an AD realm you can use AD groups (which the users are a memver of) in the FTD ACP rules. https://integratingit.wordpress.com/2021/11/07/fdm-identity-policy-and-ad-realm/

If using 802.1X authentication, its the switches that need to communicate with ISE.

Re: FTD via FDM

MHM Cisco World — Wed, 06 Mar 2024 20:30:13 GMT

What i get from your request is you need ACL apply to specific user' so you need way to make FTD recognize the user?

MHM

Re: FTD via FDM

jebankshrcu — Wed, 06 Mar 2024 20:32:54 GMT

That is correct

Re: FTD via FDM

jebankshrcu — Wed, 06 Mar 2024 20:35:30 GMT

That is what i have done on the FTD device. I have added AD realm and got the AD groups and have tried to match it via my ACL but the log error was the below:

157.240.14.52 443 6 AS=0 ID=1 GR=1-1 no match rule order 1, 'WhatsAppBlocking', user 9999999, realm 0

I will look over the second link you sent me. That on looks like what am trying to do

Re: FTD via FDM

MHM Cisco World — Wed, 06 Mar 2024 21:25:32 GMT

check active auth by ftd for identity

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217231-configure-fdm-active-authentication-cap.html

Check this

MHM

Re: FTD via FDM

Rob Ingram — Wed, 06 Mar 2024 20:39:04 GMT

@jebankshrcu from your first post it sounds like you had not configured the certificate on the FMC, so you are unlikely to have an IP/user bindings learnt from ISE until you configure the integration correctly. The first link provided has the commands to use to troubleshoot and determine whether you have these bindings.

Re: FTD via FDM

jebankshrcu — Wed, 06 Mar 2024 20:40:53 GMT

ok So from looking over the links. I need to make sure my access switches are integrated too. I was thinking that just getting AD realm integrated to my FTD via FDM was all i needed since i was able to pull my AD data from the configuration that was done for AD realm

Re: FTD via FDM

Rob Ingram — Wed, 06 Mar 2024 20:44:08 GMT

@jebankshrcu correct, without those IP/User bindings the FTD is not going to know which user the IP address is associated with. Both those links I provided include enough to get the bindings and AD realm integrated into FDM.

Re: FTD via FDM

jebankshrcu — Wed, 06 Mar 2024 20:50:15 GMT

ok thanks for that clarity. Now I may have some issues then because my access switches are CBS350-48P-4X models and I dont think it fully compatible with cisco ise. It does have some 802.1x functions but not compare to a 3750-x switch model etc.

Re: FTD via FDM

Rob Ingram — Wed, 06 Mar 2024 20:54:17 GMT

@jebankshrcu if the switch supports 802.1X, then it can authenticate against ISE, which can send those bindings to the FMC.

Re: FTD via FDM

jebankshrcu — Wed, 06 Mar 2024 20:59:11 GMT

Hi Rob:

Thanks for the input. Let me try and see what I can do. I'll update you