cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
704
Views
0
Helpful
5
Replies

does ise pic via pxgrid provide passive identity information for self sponsored and sponsored guests

mpeeters
Cisco Employee
Cisco Employee

The customer wants to track connection events by  guests on the FMC. The connection logs  to contain not only their associated IP address but also the user name previously defined in the guest portal.

The question I ask is: does the integration between Cisco ISE and Firepower Management Center allow to have, on the FMC connection logs, the username information as well as the ip address associated to the guest users ?

 

Or it this limited to corporate only 802.1x users or AD as the identity store  users

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

ISE PIC and guest don’t run in same deployment. You can’t run active authentication such as guest with a PIC deployment . ISE PIC as you stated is for passive identity sharing.’

I am still investigating this. 

View solution in original post

5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee

ISE PIC and guest don’t run in same deployment. You can’t run active authentication such as guest with a PIC deployment . ISE PIC as you stated is for passive identity sharing.’

I am still investigating this. 

Thx Jason,

 

Would you investigate with ISE pls.

 

 

ISE runs the same code as ISE-PIC with regards to identity so you will run into the same problem.  My understanding is that while you could use a method such as syslog to allow ISE / PIC to learn the user to IP mapping, the challenge you will run into is that you won't know if it is a guest user or not.  I'm not aware of a guest topic in pxGrid today so that would be a feature request.

 

Regards,

-Tim

I believe the other issue you may have is ISE doesn't show the guest user on subsequent authentications after the initial connection.  Say for example your purge policy on the guest endpoints is 5 days.  The first day they guest connects and logs into the portal the live log will show the guest username as the identity.  I would think that information would be shared on pxGrid.

 

When they come back on day two and hit the rule for guest endpoints ISE is just going to show the MAC address in the live logs as the identity.  I don't think that has been fixed in ISE, but haven't looked at this in detail for a while.

We are looking at this but it might take a week or so to validate

 

Right. That use case won’t work. Remember me as the fix doesn’t send an updated username . Now there is UserName and User-Name

 

https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: