cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Identity Service Through Cisco ISE

MSJ1
Beginner
Beginner

Hello,

 

I need some suggestions / guideline regards to one of my query as below.

 

my client wants to use Cisco ISE to be identity provider for some of local firewalls ( FMC ) to allow AD Based rule for the Firewalls Managed by FMC. What I need to configure for this to happen ? Can you suggest ?

 

Currently there are AD Connection with ISE for other solutions ( anyconnect ) , but firewalls they are trying to use has no relation with ISE for any solution perspective. For those Firewalls they just want to use ISE as Identity Provider so that they can use AD Based Rule at those Firewalls.

4 REPLIES 4

mohanB
Beginner
Beginner

Recently had to do this. In brief, you can use ISE-PIC (can be separate node or can be enable in existing node as a persona), which basically is identity source, on the backend it can integrate with ADs using WMI (few other methods are out there as well) to receive user login information, which then it can use to build user id to IP address mapping. This information then can be passed to FMC using pxGrid protocol. Once you have the FMC configured with realms and can download users and groups, and have user-IP mapping from pxGrid. Then you can code firewall rule using AD user and group. Once traffic matches the identity rule, it looks up to see if it matches the identity conditions and access rule can be coded to allow or deny that traffic.

Obviously as always, better to plan the resources need appropriately and if separate ISE-PIC node needs to be deployed or not

 

 

Share your videos with friends, family, and the world

Peter Koltl
Rising star
Rising star

Is ISE aware of all user session’s IP addresses? (E. g. by means of 802.1X) If not, FMC should query the AD and use AD directly as identity source. Thus, pxGrid may not be necessary  between ISE and FMC.

Hello Peter,

 

How I can validate below ? I know that ISE I am using is used for one existing VPN as Identity Sources ( i.e FMC - FMC is the manager for VPN Firewall ) 

 

"Is ISE aware of all user session’s IP addresses? "

hslai
Cisco Employee
Cisco Employee

I think mohanB is correct. That is, ISE can learn the users' IP addresses passively through the Passive Identity service.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: