Cisco ISE with FMC Integration issue

Al Core · ‎07-01-2021

Hi,

I made an integration through PxGrid between ISE3.8 and FMC6.7. Integration works fine without errors, FMC in "Connected" status.

I connected FMC to AD made an identity policy but FMC does not receive active session from ISE. I do not see any user information in Analysis/Users tab.

From the output "adi_cli session" I see how FMC receives information about SGT tags:

received realm information: operation REALM_DELETE_ALL, Null realm info
received realm information: operation REALM_ADD, realm name eiu.lab, short name EIU, id 2
ADI is connected
received security group operation: DELETE ALL
received security group operation: ADD id: 92bb1950-8c01-11e6-996c-525400b48521 name: ANY fullyQualifiedName: Any Security Group tag: 65535
received security group operation: ADD id: 934557f0-8c01-11e6-996c-525400b48521 name: Auditors fullyQualifiedName: Auditor Security Group tag: 9
received security group operation: ADD id: 935d4cc0-8c01-11e6-996c-525400b48521 name: BYOD fullyQualifiedName: BYOD Security Group tag: 15
received security group operation: ADD id: 9370d4c0-8c01-11e6-996c-525400b48521 name: Contractors fullyQualifiedName: Contractor Security Group tag: 5
received security group operation: ADD id: 93837260-8c01-11e6-996c-525400b48521 name: Developers fullyQualifiedName: Developer Security Group tag: 8
received security group operation: ADD id: 9396d350-8c01-11e6-996c-525400b48521 name: Development_Servers fullyQualifiedName: Development Servers Security Group tag: 12
received security group operation: ADD id: 93ad6890-8c01-11e6-996c-525400b48521 name: Employees fullyQualifiedName: Employee Security Group tag: 4
received security group operation: ADD id: 93c66ed0-8c01-11e6-996c-525400b48521 name: Guests fullyQualifiedName: Guest Security Group tag: 6
received security group operation: ADD id: 93e1bf00-8c01-11e6-996c-525400b48521 name: Network_Services fullyQualifiedName: Network Services Security Group tag: 3
received security group operation: ADD id: 93f91790-8c01-11e6-996c-525400b48521 name: PCI_Servers fullyQualifiedName: PCI Servers Security Group tag: 14
received security group operation: ADD id: 940facd0-8c01-11e6-996c-525400b48521 name: Point_of_Sale_Systems fullyQualifiedName: Point of Sale Security Group tag: 10
received security group operation: ADD id: 9423aa00-8c01-11e6-996c-525400b48521 name: Production_Servers fullyQualifiedName: Production Servers Security Group tag: 11
received security group operation: ADD id: 9437a730-8c01-11e6-996c-525400b48521 name: Production_Users fullyQualifiedName: Production User Security Group tag: 7
received security group operation: ADD id: 944b2f30-8c01-11e6-996c-525400b48521 name: Quarantined_Systems fullyQualifiedName: Quarantine Security Group tag: 255
received security group operation: ADD id: 94621290-8c01-11e6-996c-525400b48521 name: Test_Servers fullyQualifiedName: Test Servers Security Group tag: 13
received security group operation: ADD id: 947832a0-8c01-11e6-996c-525400b48521 name: TrustSec_Devices fullyQualifiedName: TrustSec Devices Security Group tag: 2
received security group operation: ADD id: 92adf9f0-8c01-11e6-996c-525400b48521 name: Unknown fullyQualifiedName: Unknown Security Group tag: 0

But no information about dot1x or remote access session

I can not make a case in TAC because it is lab environment.

Any thoughts?

Octavian Szolga · ‎07-01-2021

Hi,

Is the 802.1x environment using machine or user identity?

If it's machine identity, I'm not sure it will work.

What ISE version you're using? (there is no such thing like 3.8)

To what topics have you subscribed on FMC regarding ISE pXgrid integration?

According to the FMC 6.7 user guide, you need:

Supported ISE/ISE-PIC versions: 2.6 patch 6 or later, 2.7 patch 2 or later

BR,

Octavian

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/control_users_with_ise_ise_pic.html#task_70A1D11CEE7E4F7F84CF90777F8E195F

hslai · ‎07-05-2021

Second to what Octavian already said in this discussion thread.

ISE sessions can be either from Passive ID or from active authentications. In case of active authentications and in case of SGT assignments, the info could be propagated through in-line tagging. If in-line tagging not applicable, then please ensure the FMC is subscribed to the sessions topic in ISE.

A few other references I found on the net:

(Technology Whiteboard) PxGrid Part # 2 - Integration with FMC
(Technology Whiteboard) PxGrid Part # 3 - Troubleshooting FMC-ISE Identity Sync
(YouTube > Cisco Secure Firewall) Cisco Firepower NGFW (FTD) Integration with Cisco Identity Services Engine (ISE)
Firepower Management Center Configuration Guide, Version 7.0 > Control Users with ISE/ISE-PIC > Troubleshoot the ISE/ISE-PIC or Cisco TrustSec Issues