topic Re: USER-IP mapping FTD in Network Security

USER-IP mapping FTD

hsangral — Fri, 21 Feb 2020 17:43:04 GMT

Hello,

I understand that in order to Integrate FTD with ISE we need to perform PXgrid integration and add Active directory as a realm, which works well.

What about the users performing Dot 1x authentication using ISE local Database, How does FTD fetch that information.

Re: USER-IP mapping FTD

Rob Ingram — Sun, 24 Nov 2019 14:22:35 GMT

Hi,
The pxgrid integration between ISE and FTD would send all IP/User bindings to the FTD. However if the user is defined only in the ISE database, the AD realm defined on the FTD will not be able to query the group membership for those users.

You could define rules on the FTD using SGTs (rather than query for group membership) that were assigned to those ISE local users or use AD to authenticate users.

HTH

Re: USER-IP mapping FTD

hsangral — Sun, 24 Nov 2019 14:31:40 GMT

Thanks,

The SGT approach would not be applicable to a non sda environment.

If the FTD is not using AD groups in the policies it would still fetch the Information ( user-ip mapping) and the ISE local username can be seen in the connection events ? In this case creation of realms would not be necessary. Correct me if i am wrong.

Re: USER-IP mapping FTD

Rob Ingram — Sun, 24 Nov 2019 14:35:56 GMT

If you just want IP/User mappings in connections events, then I see no reason why that should not work. However if you want to use the Username/Group information in the ACP for enforcement then you'd need to learn the group mappings from the AD Realm, which is not possible if the user is in the ISE Local database.

HTH

Re: USER-IP mapping FTD

hsangral — Sun, 24 Nov 2019 14:37:12 GMT

Thanks