I need some suggestions / guideline regards to one of my query as below.
my client wants to use Cisco ISE to be identity provider for some of local firewalls ( FMC ) to allow AD Based rule for the Firewalls Managed by FMC. What I need to configure for this to happen ? Can you suggest ?
Currently there are AD Connection with ISE for other solutions ( anyconnect ) , but firewalls they are trying to use has no relation with ISE for any solution perspective. For those Firewalls they just want to use ISE as Identity Provider so that they can use AD Based Rule at those Firewalls.
Recently had to do this. In brief, you can use ISE-PIC (can be separate node or can be enable in existing node as a persona), which basically is identity source, on the backend it can integrate with ADs using WMI (few other methods are out there as well) to receive user login information, which then it can use to build user id to IP address mapping. This information then can be passed to FMC using pxGrid protocol. Once you have the FMC configured with realms and can download users and groups, and have user-IP mapping from pxGrid. Then you can code firewall rule using AD user and group. Once traffic matches the identity rule, it looks up to see if it matches the identity conditions and access rule can be coded to allow or deny that traffic.
Obviously as always, better to plan the resources need appropriately and if separate ISE-PIC node needs to be deployed or not
Is ISE aware of all user session’s IP addresses? (E. g. by means of 802.1X) If not, FMC should query the AD and use AD directly as identity source. Thus, pxGrid may not be necessary between ISE and FMC.