Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2436
Views
25
Helpful
5
Replies

FMC Integration with ISE pxGrid with machine based authentication

Go to solution
elemzy
Level 1
Level 1

‎09-22-2021 11:06 PM

Hi,

Is there anyone that can point me in the right direction of how to create access policies on FMC based on information from pxGrid, when ISE is using machine-based authentication? From what I learnt, since machine authentication logs the user as host/userid, this information is not usable by FMC.

ISE 3.0, FMC 6.7.

Any suggestion will be appreciated.

Thanks

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to elemzy

‎09-23-2021 09:47 AM

@elemzy I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.

 

I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.

View solution in original post

5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎09-23-2021 07:24 AM

Hi,

 

I'm checking on the details of machine authentication information being shared via pxGrid but it sounds like the problem is a limitation with FMC itself.  You'll need to reach out to the FMC team on how / when that use case is supported.

 

Regards,

-Tim

Go to solution
elemzy
Level 1
Level 1
In response to Timothy Abbott

‎09-23-2021 07:38 AM

thanks Tim,

Does this mean Im limited to PEAP authentication only when using ISE active authentication? Or do you know of any other option?

What do you mean by reach out to the FMC team? Through an official Tac case?

Go to solution
Rob Ingram
VIP
VIP
In response to elemzy

‎09-23-2021 09:47 AM

@elemzy I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.

 

I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.

Go to solution
elemzy
Level 1
Level 1
In response to Rob Ingram

‎09-25-2021 11:55 AM - edited ‎09-25-2021 01:14 PM

Thanks for your response, Rob.

Using the computer ID in the ISE access rule will defeat the ability to log activities based on the user name. I might be limited to using SGT here. What I'm shying from is having to break down the domain computer/authenticated user rule on ise to multiple domain computer/ad-groups, to assign different SGTs per AD group, so I can create AD group based controls on FMC.

Go to solution
~Saj~
Level 1
Level 1

‎02-01-2023 10:27 PM

Hi Experts,

Any update on this behaviour? I'm having a similar issue. I think it's more along the lines discussed in this thread.

Brief info on the setup:

  • Windows desktops authenticate using the device auth cert to ISE
  • Passive ID using to get the User to IP mappings from AD
  • The same information is passed to FMC through the PxGrid

In the FMC, we can see the User to IP mapping for clients with Device Auth. However, an identity-based policy not working for users with device auth. why can FMC not execute an identity-based rule when the User to IP mapping details are available?

Users with PEAP auth do work fine with the identity-based rules. 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents