Solved: Cisco ISE user to IP mapping

sanchezeldorado · ‎02-02-2022

Hello. I've been thrown at a network with a basic ISE deployment. There isn't a lot setup, but I need to be able to configure Firepower access rules based on username. I understand the FMC configuration and the pxGrix configuration to ISE. What I can't seem to find much information on is how ISE is supposed to get username to IP address information. Specifically for a domain computer that hasn't done anything but login to the computer. It makes sense how ISE would be able to match things up if a user logs into VPN or tacacs.

A secondary question. What happens if you have a citrix server. If my firewall allows a user logged into citrix access to a website, does it then allow all other users on that citrix server as well? My understanding is that the firewall's rule looks up the user and then allows the user by its associated IP address.

Any help is much appreciated. Thanks!

Andy

Edit: I have a new cisco wireless controller that seems to be reporting username to IP mapping to ISE, but I don't understand how it gets the AD user and how it reports it to ISE. I'd like to understand that part too.

Milos_Jovanovic · ‎02-03-2022

Hi @sanchezeldorado,

What you are looking for is called Passive Identity on ISE. When user does logon to its PC, PC will authenticate user against AD, and AD will at that moment create security event log in which it will record username and an IP address from where request came. ISE will be integrated with AD servers (to all of them, as security events are not replicated among DCs), and by using WMI, it will read through these logs, parse them, and create its own knowledge of user-to-IP mapping.

You can find more details on ISE-PIC documentation, and you can also check this Cisco Live presentation/LAB.

ISE also supports Citrix and similar Terminal Services solutions. This support is done with installation of TS agent on each Citrix server, which will then support sending info about user, IP and associated port blocks back to ISE. I havent worked with these before, so I don't know how it is done in reallity. You can read about it here.

For devices which are using ISE nativelly, e.g. over 802.1x (such as WLC-ISE scenraio in which you are authenticating your users against ISE), ISE will learn their IPs directly .

BR,

Milos

View solution in original post

Milos_Jovanovic · ‎02-03-2022

Hi @sanchezeldorado,

What you are looking for is called Passive Identity on ISE. When user does logon to its PC, PC will authenticate user against AD, and AD will at that moment create security event log in which it will record username and an IP address from where request came. ISE will be integrated with AD servers (to all of them, as security events are not replicated among DCs), and by using WMI, it will read through these logs, parse them, and create its own knowledge of user-to-IP mapping.

You can find more details on ISE-PIC documentation, and you can also check this Cisco Live presentation/LAB.

ISE also supports Citrix and similar Terminal Services solutions. This support is done with installation of TS agent on each Citrix server, which will then support sending info about user, IP and associated port blocks back to ISE. I havent worked with these before, so I don't know how it is done in reallity. You can read about it here.

For devices which are using ISE nativelly, e.g. over 802.1x (such as WLC-ISE scenraio in which you are authenticating your users against ISE), ISE will learn their IPs directly .

BR,

Milos

sanchezeldorado · ‎02-03-2022

Thank you! All the articles I could find focused on the pxGrid connection to FMC. This is exactly what I needed.

Milos_Jovanovic · ‎02-03-2022

Thanks for the feedback.

Great to hear that, glad to help.

BR,
Milos