cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

857
Views
0
Helpful
1
Replies
Beginner

FMC ISE Integration - SGT

ISE version 2.1

FMC version 6.1

Running into an issue getting SGT mappings to be pushed to the sensors from my FMC. I believe I have identified the issue, but wanted to see if anyone has ran into this before or got it working.

Here is what I am experiencing:

User connects to wireless, and authenticates using EAP-FAST (user+machine)

ISE assigns an SGT per AuthZ policy

FMC gets user/machine login event and SGT from ISE (screenshot below)

FMC doesn't push the SGT mapping to the sensors - I believe because the username received from ISE is in the form of '<username>/host/<machine>', and it isn't able to find that in the AD Realm. (screenshot below)

If I authenticate using just username and not machine (PEAP+MSCHAPv2 for example) everything works as expected - FMC gets SGT, pushes to sensor, Access Control Policy applied properly.

I found a bug that is kinda related to what I am seeing, but the workaround listed is basically what I am already doing. CSCvd73842

Screenshots:

1.PNG2.PNG

Any thoughts or experience is appreciated.

 

-Thanks

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: FMC ISE Integration - SGT

Hi,

before Firepower 6.2.0 you need to have Realm, which validate username received from ISE and after that there was pushed mapping SGT-IP to FTD device. As you write you are running 6.1 ..

After 6.2.0 you don't need realm to validate username to be able push SGT-IP mapping to device ..

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html

...check Table1

 

Because you are using EAP-FAST (user+device), FMC see all that string as one "user" ID, and this is not in AD at all. Actually there is no way how to validate EAP-FAST identity (user+device) against any Realm (there is no possibility of parsing identity on FMC (received by pxgrid) nor ISE platform (before pxgrid)..).

(I am in same situation .. lot of discussions with Cisco SE about that... no solution till now).

 

If it is enougth for you use SGT tags in ACL, it can be useful migrate to 6.2.0 or later.

Regards,

Vladimir

 

1 REPLY 1
Beginner

Re: FMC ISE Integration - SGT

Hi,

before Firepower 6.2.0 you need to have Realm, which validate username received from ISE and after that there was pushed mapping SGT-IP to FTD device. As you write you are running 6.1 ..

After 6.2.0 you don't need realm to validate username to be able push SGT-IP mapping to device ..

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html

...check Table1

 

Because you are using EAP-FAST (user+device), FMC see all that string as one "user" ID, and this is not in AD at all. Actually there is no way how to validate EAP-FAST identity (user+device) against any Realm (there is no possibility of parsing identity on FMC (received by pxgrid) nor ISE platform (before pxgrid)..).

(I am in same situation .. lot of discussions with Cisco SE about that... no solution till now).

 

If it is enougth for you use SGT tags in ACL, it can be useful migrate to 6.2.0 or later.

Regards,

Vladimir