cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2491
Views
25
Helpful
5
Replies

FMC Integration with ISE pxGrid with machine based authentication

elemzy
Level 1
Level 1

Hi,

Is there anyone that can point me in the right direction of how to create access policies on FMC based on information from pxGrid, when ISE is using machine-based authentication? From what I learnt, since machine authentication logs the user as host/userid, this information is not usable by FMC.

ISE 3.0, FMC 6.7.

Any suggestion will be appreciated.

Thanks

1 Accepted Solution

Accepted Solutions

@elemzy I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.

 

I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.

View solution in original post

5 Replies 5

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

 

I'm checking on the details of machine authentication information being shared via pxGrid but it sounds like the problem is a limitation with FMC itself.  You'll need to reach out to the FMC team on how / when that use case is supported.

 

Regards,

-Tim

thanks Tim,

Does this mean Im limited to PEAP authentication only when using ISE active authentication? Or do you know of any other option?

What do you mean by reach out to the FMC team? Through an official Tac case?

@elemzy I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.

 

I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.

Thanks for your response, Rob.

Using the computer ID in the ISE access rule will defeat the ability to log activities based on the user name. I might be limited to using SGT here. What I'm shying from is having to break down the domain computer/authenticated user rule on ise to multiple domain computer/ad-groups, to assign different SGTs per AD group, so I can create AD group based controls on FMC.

~Saj~
Level 1
Level 1

Hi Experts,

Any update on this behaviour? I'm having a similar issue. I think it's more along the lines discussed in this thread.

Brief info on the setup:

  • Windows desktops authenticate using the device auth cert to ISE
  • Passive ID using to get the User to IP mappings from AD
  • The same information is passed to FMC through the PxGrid

In the FMC, we can see the User to IP mapping for clients with Device Auth. However, an identity-based policy not working for users with device auth. why can FMC not execute an identity-based rule when the User to IP mapping details are available?

Users with PEAP auth do work fine with the identity-based rules.