cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

282
Views
0
Helpful
5
Replies
Highlighted
Cisco Employee

FMC User Control with ISE/ISE-PIC

Hi, I was initially trying to setup FTD with user control using active authentication however due to active authentication certificate issue - CSCuz37162, I’m now looking at an alternative solution to do the same whereby FMC will be getting passive identity from ISE and users get authenticated via guest portal when joining into the wireless.

The flow would be like this:-

  1. User connects to WIFI and gets redirected to ISE Guest Portal and Login using AD credential. (mandatory requirement to have a landing page for user auth)
  2. Since The Firepower Management Center does not receive user data for ISE Guest Services users, and users are authenticated to guest portal via AD credential, I’m going to configure ISE obtain user login data from AD (passive identity)
  3. Configure FMC to get users data from ISE.
  4. Create ACP on FMC with user control.

Questions:

1. Would the above mentioned work? As what being documented, ISE collects logon events from AD. Does this means joined domain PCs logon events or AD user authentication via AD events will get push to ISE too? (WiFi users will authenticate via guest portal using AD user, however they do not have PCs that joins the domain.

2. Customer uses Ruckus WLC, can Ruckus forward some kind of authentication logs to ISE via syslog for passive identity usage?


Thanks.


Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FMC User Control with ISE/ISE-PIC

Hi,

I'm not sure number 1 would work because it isn't an actual "logon" event even if the computer is domain joined.  I think question 2 is feasible as ISE / ISE-PIC could use the syslog messages to generate a passive ID session that could then be shared with FMC.  The only question is whether or not does Ruckus send RFC compliant syslog messages.  If they do, then it should work.

Regards,

-Tim

5 REPLIES 5
Cisco Employee

Re: FMC User Control with ISE/ISE-PIC

Hi,

I'm not sure number 1 would work because it isn't an actual "logon" event even if the computer is domain joined.  I think question 2 is feasible as ISE / ISE-PIC could use the syslog messages to generate a passive ID session that could then be shared with FMC.  The only question is whether or not does Ruckus send RFC compliant syslog messages.  If they do, then it should work.

Regards,

-Tim

Enthusiast

Re: FMC User Control with ISE/ISE-PIC

Hi 

 

has this problem been resolve? Because we are trying to implement same scenario for similar Firepower Captive Portal reasons. 

 

Sending AD Users info to FMC with ISE Guest Portal via ISE PIC service. We did and we have came almost to the end. but we are seeing unknown users on Connection Events Logs for the Portal Autheticated Users

 

interesting thing is ,   we can see AD users logged on througt the portal in the FMC Users Activation, but same user seems in the connection event logs seeing as unknown.

Why cant FMC write to users it sees on Users Activity to Connection Events. ?

 

i think , Cisco Firepower Team should be little bit more develope related to captive portal or get user infromation from ISE Guest services.

 

This is a feature that should always be used

 

Do you have any experiance and suggestions for this ? 

 

Thanks Regards. 

 

Murat

 

 

Beginner

Re: FMC User Control with ISE/ISE-PIC

Hi,

Same scenario and dame behaviour: user in FMC is shown on Users Activity and host profile but not into Connection Events. ?

Is it supposed or I could be a bug?

Thanks

 

 

Enthusiast

Re: FMC User Control with ISE/ISE-PIC

this is no bug . only   currently not supported this feature . FMC can not get the user info from ISE Guest Service .. 

 

you can find it here 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/control_users_with_ise_ise_pic.pdf

ise guest users.jpg

Cisco Employee

Re: FMC User Control with ISE/ISE-PIC

Please work through tac

CSCvd38796: ISE doesn't save domain attribute for guest authentication with AD users (Firepower integration)