cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1827
Views
0
Helpful
5
Replies

FMC User Control with ISE/ISE-PIC

dicmupha
Cisco Employee
Cisco Employee

Hi, I was initially trying to setup FTD with user control using active authentication however due to active authentication certificate issue - CSCuz37162, I’m now looking at an alternative solution to do the same whereby FMC will be getting passive identity from ISE and users get authenticated via guest portal when joining into the wireless.

The flow would be like this:-

  1. User connects to WIFI and gets redirected to ISE Guest Portal and Login using AD credential. (mandatory requirement to have a landing page for user auth)
  2. Since The Firepower Management Center does not receive user data for ISE Guest Services users, and users are authenticated to guest portal via AD credential, I’m going to configure ISE obtain user login data from AD (passive identity)
  3. Configure FMC to get users data from ISE.
  4. Create ACP on FMC with user control.

Questions:

1. Would the above mentioned work? As what being documented, ISE collects logon events from AD. Does this means joined domain PCs logon events or AD user authentication via AD events will get push to ISE too? (WiFi users will authenticate via guest portal using AD user, however they do not have PCs that joins the domain.

2. Customer uses Ruckus WLC, can Ruckus forward some kind of authentication logs to ISE via syslog for passive identity usage?


Thanks.


1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

I'm not sure number 1 would work because it isn't an actual "logon" event even if the computer is domain joined.  I think question 2 is feasible as ISE / ISE-PIC could use the syslog messages to generate a passive ID session that could then be shared with FMC.  The only question is whether or not does Ruckus send RFC compliant syslog messages.  If they do, then it should work.

Regards,

-Tim

View solution in original post

5 Replies 5

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

I'm not sure number 1 would work because it isn't an actual "logon" event even if the computer is domain joined.  I think question 2 is feasible as ISE / ISE-PIC could use the syslog messages to generate a passive ID session that could then be shared with FMC.  The only question is whether or not does Ruckus send RFC compliant syslog messages.  If they do, then it should work.

Regards,

-Tim

murat001
Level 4
Level 4

Hi 

 

has this problem been resolve? Because we are trying to implement same scenario for similar Firepower Captive Portal reasons. 

 

Sending AD Users info to FMC with ISE Guest Portal via ISE PIC service. We did and we have came almost to the end. but we are seeing unknown users on Connection Events Logs for the Portal Autheticated Users

 

interesting thing is ,   we can see AD users logged on througt the portal in the FMC Users Activation, but same user seems in the connection event logs seeing as unknown.

Why cant FMC write to users it sees on Users Activity to Connection Events. ?

 

i think , Cisco Firepower Team should be little bit more develope related to captive portal or get user infromation from ISE Guest services.

 

This is a feature that should always be used

 

Do you have any experiance and suggestions for this ? 

 

Thanks Regards. 

 

Murat

 

 

Hi,

Same scenario and dame behaviour: user in FMC is shown on Users Activity and host profile but not into Connection Events. ?

Is it supposed or I could be a bug?

Thanks

 

 

this is no bug . only   currently not supported this feature . FMC can not get the user info from ISE Guest Service .. 

 

you can find it here 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/control_users_with_ise_ise_pic.pdf

ise guest users.jpg

Please work through tac

CSCvd38796: ISE doesn't save domain attribute for guest authentication with AD users (Firepower integration)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: