Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2275
Views
0
Helpful
6
Replies

FMC and PassiveID - correct 802.1X username format on ISE

Go to solution
lnemec
Level 4
Level 4

‎12-12-2017 01:26 AM

Hello,

I'd like to know, how LDAP lookup is working on FMC for PassiveID. I have found, that it is very important, how username on 802.1X session looks like. We can play with format of username if wee have Anyconnect NAM, but it is problem, if we have for example native supplicant or we are using certificate based authentication. For example, we have only machine 802.1X authentication using EAP-TLS with computer certificate, and CN of cert is FQDN of host e.g. computer1.demo.com. We will see username on ISE computer1.demo.com and I am sure, that FMC will not find computer in LDAP/AD based on this username, so Passive Authentication will not work in this case.

So to summarize this issues, i would like to have answer for these questions:

  1. What username format for 802.1X user authentication on ISE should looks like, so FMC can correctly do LDAP lookup? [username, username@domain, username@NetBIOSname etc...]
  2. What username format for 802.1X machine authentication on ise should looks like, so FMC can correctly do LDAP lookup? [host/hostname, host/hostname.domain, hostname.domain etc...]
  3. "Firepower does not support 802.1x machine authentication alongside AD authentication because the system does not associate machine authentication with users." What does it mean exactly?


Thanks,

Laco.


0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to lnemec

‎12-22-2017 09:01 PM

Below are some info I received from Firepower team and they might help:

FMC can only consume Passive Identity learned from AD. The method should not matter,  for the integration to work, the following is what is required currently.

  1. On the FMC, a Realm is configured for the Active Directory with domain and other information.
  2. The session received from ISE-PIC/ISE  should have a domain that the realm domain configured on the FMC.
  3. The session received from ISE-PIC/ISE should have a username that is one of the users in the Active Directory Realm.

From FMC perspective,

If we receive an authentication Machine/User if it is an Active Directory Credential we use the username + domain. We haven’t tested the case where a machine auth is sent with username and domain but it should work in theory.

If we receive an authentication Machine/User without domain information, we cannot use Identity but we will use other attributes like SGT, Device Profile and Location IP (NAS IP).

Anytime we receive a login for a certain IP it overwrites the previous information we have about the IP.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎12-12-2017 06:45 AM

Laco,

I don't understand the question.  You reference PassiveID but you are also asking about 802.1X.  They are completely different.  802.1X is active identity where as PassiveID is learning the username and IP address by looking at the security event logs from AD.  Are you using PassiveID or 802.1X with ISE?

Regards,

-Tim

0 Helpful

Go to solution
lnemec
Level 4
Level 4
In response to Timothy Abbott

‎12-12-2017 10:32 AM

Hi Tim,

I mean, ISE is using 802.1x and authentication events is shared with FMC via PxGrid publishing. So it means, that FMC is doing passive authentication because ISE is doing active and FMC just trust ISE. Correct?

So on FMC, we have integration with ISE via PxGrdi and we have also configured REALM on FMC to do LDAP lookup for usernames coming from ISE. If both ise username is validated by REALM/LDAP lookup, we can see correct initiated user identity on connection events. This is my expectation how it works.

It is true, that I am not talking about Passive Identity functionality on Cisco ISE, but I am talking about FMC passive authentication, to be correct.

I hope, now is clear, what I am looking for.

Regards,

Laco

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to lnemec

‎12-12-2017 10:50 AM

FMC learns the identity from ISE using pxGrid.  Essentially, FMC needs to know the IP address the user is tied to.  That could be in the form of active identity (802.1X) or passive identity (WMI, etc.)  ISE then shares that information with FMC over pxGrid but FMC still needs to know which security groups the user belongs to in AD / LDAP so it can enforce policy.  That is where FMC has to have a realm configured.  It isn't trying to authenticate the user but rather learn which groups the user is a member of.

Regards,

-Tim

0 Helpful

Go to solution
lnemec
Level 4
Level 4
In response to Timothy Abbott

‎12-12-2017 11:01 AM

Hi Tim, OK, this is good description how it works, but is is still not answering my original three questions.

  1. What username format for 802.1X user authentication on ISE should looks like, so FMC can correctly do LDAP lookup? [username, username@domain, username@NetBIOSname etc...]
  2. What username format for 802.1X machine authentication on ise should looks like, so FMC can correctly do LDAP lookup? [host/hostname, host/hostname.domain, hostname.domain etc...]
  3. "Firepower does not support 802.1x machine authentication alongside AD authentication because the system does not associate machine authentication with users." What does it mean exactly?


Thanks,

Laco

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to lnemec

‎12-22-2017 09:01 PM

Below are some info I received from Firepower team and they might help:

FMC can only consume Passive Identity learned from AD. The method should not matter,  for the integration to work, the following is what is required currently.

  1. On the FMC, a Realm is configured for the Active Directory with domain and other information.
  2. The session received from ISE-PIC/ISE  should have a domain that the realm domain configured on the FMC.
  3. The session received from ISE-PIC/ISE should have a username that is one of the users in the Active Directory Realm.

From FMC perspective,

If we receive an authentication Machine/User if it is an Active Directory Credential we use the username + domain. We haven’t tested the case where a machine auth is sent with username and domain but it should work in theory.

If we receive an authentication Machine/User without domain information, we cannot use Identity but we will use other attributes like SGT, Device Profile and Location IP (NAS IP).

Anytime we receive a login for a certain IP it overwrites the previous information we have about the IP.

0 Helpful

Go to solution
TODavies
Level 1
Level 1

‎04-12-2018 02:43 AM

Hi Inemec,

Did you manage to get this working where the authentication information is sent with a username and domain to FMC?

I'm using 802.1X authentication with EAP-TLS,the AD username is in the CN field on the certificate but I'm unable to get FMC to recognise the AD username as part of the configured Realm.

If I authenticate against ISE using 802.1X  with PEAP/MSCHAPV2 it works fine.

We are using ISE with PxGrid to share the authentication events.

Many thanks

Tim

0 Helpful
Customers Also Viewed These Support Documents