01-16-2019 02:32 AM
The customer wants to track connection events by guests on the FMC. The connection logs to contain not only their associated IP address but also the user name previously defined in the guest portal.
The question I ask is: does the integration between Cisco ISE and Firepower Management Center allow to have, on the FMC connection logs, the username information as well as the ip address associated to the guest users ?
Or it this limited to corporate only 802.1x users or AD as the identity store users
Solved! Go to Solution.
01-16-2019 03:27 AM - edited 01-16-2019 07:47 AM
ISE PIC and guest don’t run in same deployment. You can’t run active authentication such as guest with a PIC deployment . ISE PIC as you stated is for passive identity sharing.’
I am still investigating this.
01-16-2019 03:27 AM - edited 01-16-2019 07:47 AM
ISE PIC and guest don’t run in same deployment. You can’t run active authentication such as guest with a PIC deployment . ISE PIC as you stated is for passive identity sharing.’
I am still investigating this.
01-16-2019 08:19 AM
Thx Jason,
Would you investigate with ISE pls.
01-16-2019 10:43 AM
ISE runs the same code as ISE-PIC with regards to identity so you will run into the same problem. My understanding is that while you could use a method such as syslog to allow ISE / PIC to learn the user to IP mapping, the challenge you will run into is that you won't know if it is a guest user or not. I'm not aware of a guest topic in pxGrid today so that would be a feature request.
Regards,
-Tim
01-16-2019 01:19 PM
I believe the other issue you may have is ISE doesn't show the guest user on subsequent authentications after the initial connection. Say for example your purge policy on the guest endpoints is 5 days. The first day they guest connects and logs into the portal the live log will show the guest username as the identity. I would think that information would be shared on pxGrid.
When they come back on day two and hit the rule for guest endpoints ISE is just going to show the MAC address in the live logs as the identity. I don't think that has been fixed in ISE, but haven't looked at this in detail for a while.
01-16-2019 01:32 PM
We are looking at this but it might take a week or so to validate
Right. That use case won’t work. Remember me as the fix doesn’t send an updated username . Now there is UserName and User-Name
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide