topic When a user authenticates in Network Security

FireSight and ISE User Identity Integration

nrunge1 — Fri, 21 Feb 2020 13:23:46 GMT

We are wishing to migrate from CX/PRSM to FirePower/FireSight. I am researching feature parity.

Today I use the CDA integration with ISE to passively capture the user identity of 802.1x wireless authenticated employees.

The goal is to on demand produce reports that map a username to their traffic in a passive fashion.

I was told by a Cisco engineer that ISE was a consumable identiy source for FireSight in the same way that LDAP is with the User Agent. Furthermore I was assured that this was the case without having licensing for PXGRID.

I am unable to find any information proving this to be true. The only thing I find is information on how to use ISE as an authentication method.

I do not want to authenticate users actively. I just want to scape username information for reporting purposes. I have read the following URL and it is not what I am looking for based on our current configuration.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html

You can get usernames

Collin Clark — Thu, 12 Feb 2015 14:58:37 GMT

You can get usernames directly in sourcefire with the User Agent (that runs on a Windows box). No need for ISE.

When a user authenticates

nrunge1 — Thu, 12 Feb 2015 16:43:09 GMT

When a user authenticates using 802.1x over WiFi ACS/ISE I do not see a successful authentication event on a domain controller.

If you have ISE configured differently so that my wireless users will actually create an event in Windows that has a username in it I would be interested to see how you are doing that.

To the best of my knowledge that was not possible, which was why for CX/PRSM Cisco had to patch the CDA to parse out syslog from CX.

That is correct you will not

Collin Clark — Thu, 12 Feb 2015 20:00:49 GMT

That is correct you will not see logon/logoff for users that authenticated to RADIUS. As far as I know there is no workaround. I'm hoping that some day soon sourcefire will use CDA instead of its own User Agent.

I believe moving forward

Marvin Rhoads — Thu, 12 Feb 2015 20:55:36 GMT

I believe moving forward Cisco plans to integrate these sort of multiple sources of user data via PxGrid. Though I'd prefer CDA as it appears more stable than SFUA.

There was some lab proof of concept work demonstrated at Cisco Live Milan a couple of weeks ago.

The problem with PxGrid is

nrunge1 — Thu, 12 Feb 2015 21:25:02 GMT

The problem with PxGrid is that it requires additional ISE licensing.

From my org's point of view we bought into CX and it didn't have ISE RADIUS identity integration. We waited and then by the time we recieved it the CX platform was on it's way out after roughly two years.

At this point we basically got credited back every dime we put into CX and are going to pay the difference for SF but I go back to not having feature parity and potentially having to buy more licensing to get it.

This is all pretty absurd when you consider that I am not wanting to do anything more than parse out text and associate it with a matched IP.

I am still waiting to hear back from a Cisco SE that our sales rep put me in touch with. If I hear anything definitive I should at least be able to provide closure for anyone who hits this thread.

I agree - your points are

Marvin Rhoads — Thu, 12 Feb 2015 21:36:34 GMT

I agree - your points are similar to the ones I've made myself to the Cisco Security CSEs I work with as a partner.

Add your voice to the choir - that's how we get the responsible product manager to make it a priority.

The answer that I recieved

nrunge1 — Fri, 13 Feb 2015 20:50:11 GMT

The answer that I recieved was in line with these features coming first half of this year using pxGrid. There was one or two other workarounds mentioned but they aren't comprable to the way it is being done today in CX.

I am getting some quotes on adding Plus licensing to our ISE Base.

There is an upside in that ISE can use pxGrid technology to get identity from AD so the SourceFire Agent would be unnecessary and everything would just flow through ISE.

Between that and the fact that I have to license passive gear makes it a tough pill to swallow.

So to cap this thread off the

nrunge1 — Mon, 16 Feb 2015 15:04:40 GMT

So to cap this thread off the pricing on pxGrid isn't bad at all if that is all you want from ISE.

pxGrid doesn't actually consume licenses. You can purchase the smallest cheapest PLUS license and get pxGrid/TrustSEC.

I have to admit that changes my initial position. It doesn't sound like the SF Agent was stable and in my experience neither was CDA.

For the cost it absolutely makes the most sense to use ISE to pull that data.

This feature has been bumped

nrunge1 — Wed, 18 Feb 2015 22:41:36 GMT

This feature has been bumped back in the timeline. Internal documentation will say second half of 2015 however the Cisco employees I spoke with said not to count on it until Q1 2016.

So I used the FireSight AD

nrunge1 — Tue, 14 Jul 2015 21:56:49 GMT

So I used the FireSight AD Agent for the first time. I take back everything bad I said about the CDA, the AD Agent has proven to function far less consistently.

I agree. I complained loud

Marvin Rhoads — Wed, 15 Jul 2015 03:49:42 GMT

I agree. I complained loud and clear to Cisco product managers, CSEs and TMEs while I was at Cisco Live about the various identity integration solutions being all over the map.

None of them work particularly well in my opinion (except perhaps ISE which is a great product but by no means ubiquitous nor should it be a prerequisite to get user identity).

Funny. That was pretty much

nrunge1 — Thu, 16 Jul 2015 02:09:13 GMT

Funny. That was pretty much our office conversation today. ISE is going to be perfect. For those that own ISE.

Although upcharging for a technological pivot that essentially provides the same feature isn't a new thing for Cisco.

CX > FirePower

Show n Share > vBrick

DMM > AppSpace

TCS > Virtual TCS

MCU Bridge > Virtual Telepresence Server

VCS > CUCM

And that is just our last fiscal year.