06-08-2021 08:50 AM
Hello,
I need some suggestions / guideline regards to one of my query as below.
my client wants to use Cisco ISE to be identity provider for some of local firewalls ( FMC ) to allow AD Based rule for the Firewalls Managed by FMC. What I need to configure for this to happen ? Can you suggest ?
Currently there are AD Connection with ISE for other solutions ( anyconnect ) , but firewalls they are trying to use has no relation with ISE for any solution perspective. For those Firewalls they just want to use ISE as Identity Provider so that they can use AD Based Rule at those Firewalls.
06-08-2021 12:43 PM
Recently had to do this. In brief, you can use ISE-PIC (can be separate node or can be enable in existing node as a persona), which basically is identity source, on the backend it can integrate with ADs using WMI (few other methods are out there as well) to receive user login information, which then it can use to build user id to IP address mapping. This information then can be passed to FMC using pxGrid protocol. Once you have the FMC configured with realms and can download users and groups, and have user-IP mapping from pxGrid. Then you can code firewall rule using AD user and group. Once traffic matches the identity rule, it looks up to see if it matches the identity conditions and access rule can be coded to allow or deny that traffic.
Obviously as always, better to plan the resources need appropriately and if separate ISE-PIC node needs to be deployed or not
06-10-2021 02:03 PM
Is ISE aware of all user session’s IP addresses? (E. g. by means of 802.1X) If not, FMC should query the AD and use AD directly as identity source. Thus, pxGrid may not be necessary between ISE and FMC.
06-10-2021 02:55 PM
Hello Peter,
How I can validate below ? I know that ISE I am using is used for one existing VPN as Identity Sources ( i.e FMC - FMC is the manager for VPN Firewall )
"Is ISE aware of all user session’s IP addresses? "
06-13-2021 06:07 PM
I think mohanB is correct. That is, ISE can learn the users' IP addresses passively through the Passive Identity service.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide