Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1444
Views
5
Helpful
4
Replies

Identity Service Through Cisco ISE

MSJ1
Level 1
Level 1

‎06-08-2021 08:50 AM

Hello,

 

I need some suggestions / guideline regards to one of my query as below.

 

my client wants to use Cisco ISE to be identity provider for some of local firewalls ( FMC ) to allow AD Based rule for the Firewalls Managed by FMC. What I need to configure for this to happen ? Can you suggest ?

 

Currently there are AD Connection with ISE for other solutions ( anyconnect ) , but firewalls they are trying to use has no relation with ISE for any solution perspective. For those Firewalls they just want to use ISE as Identity Provider so that they can use AD Based Rule at those Firewalls.

1 person had this problem
4 Replies 4

mohanB
Level 1
Level 1

‎06-08-2021 12:43 PM

Recently had to do this. In brief, you can use ISE-PIC (can be separate node or can be enable in existing node as a persona), which basically is identity source, on the backend it can integrate with ADs using WMI (few other methods are out there as well) to receive user login information, which then it can use to build user id to IP address mapping. This information then can be passed to FMC using pxGrid protocol. Once you have the FMC configured with realms and can download users and groups, and have user-IP mapping from pxGrid. Then you can code firewall rule using AD user and group. Once traffic matches the identity rule, it looks up to see if it matches the identity conditions and access rule can be coded to allow or deny that traffic.

Obviously as always, better to plan the resources need appropriately and if separate ISE-PIC node needs to be deployed or not

 

 

0 Helpful

Peter Koltl
Level 7
Level 7

‎06-10-2021 02:03 PM

Is ISE aware of all user session’s IP addresses? (E. g. by means of 802.1X) If not, FMC should query the AD and use AD directly as identity source. Thus, pxGrid may not be necessary  between ISE and FMC.

0 Helpful

MSJ1
Level 1
Level 1
In response to Peter Koltl

‎06-10-2021 02:55 PM

Hello Peter,

 

How I can validate below ? I know that ISE I am using is used for one existing VPN as Identity Sources ( i.e FMC - FMC is the manager for VPN Firewall ) 

 

"Is ISE aware of all user session’s IP addresses? "

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎06-13-2021 06:07 PM

I think mohanB is correct. That is, ISE can learn the users' IP addresses passively through the Passive Identity service.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents