cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1397
Views
25
Helpful
4
Replies

FMC Integration with ISE pxGrid with machine based authentication

elemzy
Beginner
Beginner

Hi,

Is there anyone that can point me in the right direction of how to create access policies on FMC based on information from pxGrid, when ISE is using machine-based authentication? From what I learnt, since machine authentication logs the user as host/userid, this information is not usable by FMC.

ISE 3.0, FMC 6.7.

Any suggestion will be appreciated.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

@elemzy I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.

 

I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.

View solution in original post

4 REPLIES 4

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

 

I'm checking on the details of machine authentication information being shared via pxGrid but it sounds like the problem is a limitation with FMC itself.  You'll need to reach out to the FMC team on how / when that use case is supported.

 

Regards,

-Tim

thanks Tim,

Does this mean Im limited to PEAP authentication only when using ISE active authentication? Or do you know of any other option?

What do you mean by reach out to the FMC team? Through an official Tac case?

@elemzy I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.

 

I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.

Thanks for your response, Rob.

Using the computer ID in the ISE access rule will defeat the ability to log activities based on the user name. I might be limited to using SGT here. What I'm shying from is having to break down the domain computer/authenticated user rule on ise to multiple domain computer/ad-groups, to assign different SGTs per AD group, so I can create AD group based controls on FMC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: