Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1230
Views
1
Helpful
6
Replies

Active Auth/Passive ID/pxGrid Question

Go to solution
paul
Level 10
Level 10

‎01-23-2018 01:52 PM

I wanted to check out how identity mapping should work in the following situation which is a common setup we use at customers:

  1. From a network perspective, many customers just want to make sure that connecting devices are managed by the company.  For domain joined devices the simplest way to ensure that is PEAP/Computer.  So in active authentication, the identity mapping would be IP to computer name.
  2. For external systems like Stealthwatch/FMC, the desired identity mapping is IP to username.  So we either need to change the active authentication scheme or utilize Passive ID to get the IP to username mapping.

My question is how does ISE resolve the discrepancy between the active auth having IP to computer and passive ID having IP to username?  Or does ISE just feed all the information over pxGrid and let the connected systems figure it out?

I have had mixed results testing, but need to do more testing.

Any thoughts would be appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎01-24-2018 07:05 AM

ISE simply publishes the information it receives to pxGrid.  It is then up to the subscribers to handle the data.  For a session to be created during active authentication; ISE must have the MAC address of the endpoint.  Once it has that, it will continue to add information as it come in (IP / hostname / username, etc).  Passive ID requires a username and an IP address to build a session.  If it gets a MAC address first it will hold that information in memory until it can match it to a username and IP.  Once the required information is obtained for either active or passive auth, it will publish to pxGrid subscribers.  HTH.

Regards,

-Tim

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎01-24-2018 07:05 AM

ISE simply publishes the information it receives to pxGrid.  It is then up to the subscribers to handle the data.  For a session to be created during active authentication; ISE must have the MAC address of the endpoint.  Once it has that, it will continue to add information as it come in (IP / hostname / username, etc).  Passive ID requires a username and an IP address to build a session.  If it gets a MAC address first it will hold that information in memory until it can match it to a username and IP.  Once the required information is obtained for either active or passive auth, it will publish to pxGrid subscribers.  HTH.

Regards,

-Tim

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎01-24-2018 07:25 AM

right and from another user "

ISE sends whatever the data it has in the Endpoint ID field of the session table. Its typically one ID, (could be Active directory user or computer account name), will be two IDs in case of Easy connect (Mac address, user-id). The partner system, like Stealthwatch would have 3 entries in an Easy Connect session, the endpoint’s mac address, mac-&-user-id and user-id alone mapped to the IP address, however the most current id to IP address mapping will be marked “current”.

That's my observation with ISE and Stealthwatch integration with Easy Connect."


If you're getting inconsistency might be a bug, i also asked others to take a look

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-24-2018 09:40 AM

Hey Paul,

When testing with FMC & Stealthwatch, please note the version numbers and release notes  FMC had some issues when using passive identity, when a user loved on to AD, the mapping was correct. After 802.1X re-auth occurred, the previous user mapping was overwritten by the machine mapping, an the identity rules on the FMC no longer worked.

Thanks,

John

jeppich@cisco.com

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to jeppich

‎01-24-2018 10:05 AM

That is one of my main concerns. The 802.1x reauth messing up the identity mappings in FMC/Stealthwatch. Sounds like you have confirmed this to be a valid concern.

Is that fixed in newer version of FMC? Is Stealthwatch abled handle the 802.1x reauth even okay?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to paul

‎01-24-2018 10:42 AM

Hey Paul,

Let me back with you on the status and versions of FMC and look in Stealthwatch,  I'm on travel this week and next week, so my responses may be delayed.

Thanks,

John

jeppich@cisco.com

0 Helpful

Go to solution
raymondmf
Level 1
Level 1
In response to paul

‎10-01-2019 10:41 AM

Just enabled PX-GRID and Stealthwatch as a subcriber. We are doing dot1.x authentication and MAB on certain devices. Information for dot1.x devices are not  being seen in Stealthwatch. Running SW 7.1.1. Any thought?

0 Helpful
Customers Also Viewed These Support Documents