cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

703
Views
0
Helpful
6
Replies
Highlighted
Enthusiast

FMC and PassiveID - correct 802.1X username format on ISE

Hello,

I'd like to know, how LDAP lookup is working on FMC for PassiveID. I have found, that it is very important, how username on 802.1X session looks like. We can play with format of username if wee have Anyconnect NAM, but it is problem, if we have for example native supplicant or we are using certificate based authentication. For example, we have only machine 802.1X authentication using EAP-TLS with computer certificate, and CN of cert is FQDN of host e.g. computer1.demo.com. We will see username on ISE computer1.demo.com and I am sure, that FMC will not find computer in LDAP/AD based on this username, so Passive Authentication will not work in this case.

So to summarize this issues, i would like to have answer for these questions:

  1. What username format for 802.1X user authentication on ISE should looks like, so FMC can correctly do LDAP lookup? [username, username@domain, username@NetBIOSname etc...]
  2. What username format for 802.1X machine authentication on ise should looks like, so FMC can correctly do LDAP lookup? [host/hostname, host/hostname.domain, hostname.domain etc...]
  3. "Firepower does not support 802.1x machine authentication alongside AD authentication because the system does not associate machine authentication with users." What does it mean exactly?


Thanks,

Laco.


Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FMC and PassiveID - correct 802.1X username format on ISE

Below are some info I received from Firepower team and they might help:

FMC can only consume Passive Identity learned from AD. The method should not matter,  for the integration to work, the following is what is required currently.

  1. On the FMC, a Realm is configured for the Active Directory with domain and other information.
  2. The session received from ISE-PIC/ISE  should have a domain that the realm domain configured on the FMC.
  3. The session received from ISE-PIC/ISE should have a username that is one of the users in the Active Directory Realm.

From FMC perspective,

If we receive an authentication Machine/User if it is an Active Directory Credential we use the username + domain. We haven’t tested the case where a machine auth is sent with username and domain but it should work in theory.

If we receive an authentication Machine/User without domain information, we cannot use Identity but we will use other attributes like SGT, Device Profile and Location IP (NAS IP).

Anytime we receive a login for a certain IP it overwrites the previous information we have about the IP.

6 REPLIES 6
Cisco Employee

Re: FMC and PassiveID - correct 802.1X username format on ISE

Laco,

I don't understand the question.  You reference PassiveID but you are also asking about 802.1X.  They are completely different.  802.1X is active identity where as PassiveID is learning the username and IP address by looking at the security event logs from AD.  Are you using PassiveID or 802.1X with ISE?

Regards,

-Tim

Enthusiast

Re: FMC and PassiveID - correct 802.1X username format on ISE

Hi Tim,

I mean, ISE is using 802.1x and authentication events is shared with FMC via PxGrid publishing. So it means, that FMC is doing passive authentication because ISE is doing active and FMC just trust ISE. Correct?

So on FMC, we have integration with ISE via PxGrdi and we have also configured REALM on FMC to do LDAP lookup for usernames coming from ISE. If both ise username is validated by REALM/LDAP lookup, we can see correct initiated user identity on connection events. This is my expectation how it works.

It is true, that I am not talking about Passive Identity functionality on Cisco ISE, but I am talking about FMC passive authentication, to be correct.

I hope, now is clear, what I am looking for.

Regards,

Laco

Cisco Employee

Re: FMC and PassiveID - correct 802.1X username format on ISE

FMC learns the identity from ISE using pxGrid.  Essentially, FMC needs to know the IP address the user is tied to.  That could be in the form of active identity (802.1X) or passive identity (WMI, etc.)  ISE then shares that information with FMC over pxGrid but FMC still needs to know which security groups the user belongs to in AD / LDAP so it can enforce policy.  That is where FMC has to have a realm configured.  It isn't trying to authenticate the user but rather learn which groups the user is a member of.

Regards,

-Tim

Enthusiast

Re: FMC and PassiveID - correct 802.1X username format on ISE

Hi Tim, OK, this is good description how it works, but is is still not answering my original three questions.

  1. What username format for 802.1X user authentication on ISE should looks like, so FMC can correctly do LDAP lookup? [username, username@domain, username@NetBIOSname etc...]
  2. What username format for 802.1X machine authentication on ise should looks like, so FMC can correctly do LDAP lookup? [host/hostname, host/hostname.domain, hostname.domain etc...]
  3. "Firepower does not support 802.1x machine authentication alongside AD authentication because the system does not associate machine authentication with users." What does it mean exactly?


Thanks,

Laco

Cisco Employee

Re: FMC and PassiveID - correct 802.1X username format on ISE

Below are some info I received from Firepower team and they might help:

FMC can only consume Passive Identity learned from AD. The method should not matter,  for the integration to work, the following is what is required currently.

  1. On the FMC, a Realm is configured for the Active Directory with domain and other information.
  2. The session received from ISE-PIC/ISE  should have a domain that the realm domain configured on the FMC.
  3. The session received from ISE-PIC/ISE should have a username that is one of the users in the Active Directory Realm.

From FMC perspective,

If we receive an authentication Machine/User if it is an Active Directory Credential we use the username + domain. We haven’t tested the case where a machine auth is sent with username and domain but it should work in theory.

If we receive an authentication Machine/User without domain information, we cannot use Identity but we will use other attributes like SGT, Device Profile and Location IP (NAS IP).

Anytime we receive a login for a certain IP it overwrites the previous information we have about the IP.

Beginner

Re: FMC and PassiveID - correct 802.1X username format on ISE

Hi Inemec,

Did you manage to get this working where the authentication information is sent with a username and domain to FMC?

I'm using 802.1X authentication with EAP-TLS,the AD username is in the CN field on the certificate but I'm unable to get FMC to recognise the AD username as part of the configured Realm.

If I authenticate against ISE using 802.1X  with PEAP/MSCHAPV2 it works fine.

We are using ISE with PxGrid to share the authentication events.

Many thanks

Tim