09-22-2021 11:06 PM
Hi,
Is there anyone that can point me in the right direction of how to create access policies on FMC based on information from pxGrid, when ISE is using machine-based authentication? From what I learnt, since machine authentication logs the user as host/userid, this information is not usable by FMC.
ISE 3.0, FMC 6.7.
Any suggestion will be appreciated.
Thanks
Solved! Go to Solution.
09-23-2021 09:47 AM
@ele203026 I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.
I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.
09-23-2021 07:24 AM
Hi,
I'm checking on the details of machine authentication information being shared via pxGrid but it sounds like the problem is a limitation with FMC itself. You'll need to reach out to the FMC team on how / when that use case is supported.
Regards,
-Tim
09-23-2021 07:38 AM
thanks Tim,
Does this mean Im limited to PEAP authentication only when using ISE active authentication? Or do you know of any other option?
What do you mean by reach out to the FMC team? Through an official Tac case?
09-23-2021 09:47 AM
@ele203026 I don't have my lab open to check and I also can't recall ever using computers in a Access Control rule, but I know the IP/Computername binding is received by the FMC.
I see no reason why you could not create an Access Control rule based on the AD group the computer account is a member of or assign an SGT in ISE and use the source SGT in the Access Control rule.
09-25-2021 11:55 AM - edited 09-25-2021 01:14 PM
Thanks for your response, Rob.
Using the computer ID in the ISE access rule will defeat the ability to log activities based on the user name. I might be limited to using SGT here. What I'm shying from is having to break down the domain computer/authenticated user rule on ise to multiple domain computer/ad-groups, to assign different SGTs per AD group, so I can create AD group based controls on FMC.
02-01-2023 10:27 PM
Hi Experts,
Any update on this behaviour? I'm having a similar issue. I think it's more along the lines discussed in this thread.
Brief info on the setup:
In the FMC, we can see the User to IP mapping for clients with Device Auth. However, an identity-based policy not working for users with device auth. why can FMC not execute an identity-based rule when the User to IP mapping details are available?
Users with PEAP auth do work fine with the identity-based rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide