Solved: Integration of ISE,AD and FMC using Passive Identity

umahar · ‎07-10-2018

Hi experts,

We have a customer who wants to create rules based on username on FMC and wants to explore PxGrid and Passive Identity.

My understanding is we integrate ISE and FMC using pxGrid and then integrate ISE and AD using passive identity.

We then have a combination of below scenarios and I have some questions. Appreciate your comments on the below possible use cases. Based on your feedback I'll test it in our lab.

1. Endpoints authenticating without 802.1X :- ISE will be able to publish the usernames of endpoints connecting to FMC by fetching the information from AD via passive identity integration.

2. Endpoints authenticating with EAP-TLS :- ISE will be able to publish the username to FMC using the same above process.

3. Endpoints authenticating with machine authentication PEAP-Mschapv2 :- Endpoints will authenticate using 802.1x via machine credentials. ISE will fetch username from AD via passive identity. Should we expect any conflict if 802.1x and passive identity co-exist ?

4. Endpoints authenticating with user authentication PEAP-Mschapv2 :- Are there different attributes for username received from dot1x and from passive identity ? Should we expect any conflict ?

Is it also a good idea to completely isolate passive identity functionality by exploring ISE-PIC node ?

Timothy Abbott · ‎07-11-2018

All 4 scenarios you describe are active authentications and do not require passive ID to be enabled. ISE will publish the username to the session directory topic in pxGrid. FMC can subscribe to this topic to get the user to IP mapping and then enforce policy. Passive ID is ideally used in scenarios when 802.1X is not in use and we need to rely on AD to get the user to IP mapping. Since ISE is the authentication server in your scenarios, it will have that information and will only need AD to ensure the credentials (username / pass) are valid.

Regards,

-Tim

View solution in original post

kvenkata1 · ‎07-11-2018

Not sure if you have seen this post.

FMC and ISE integration for passive authentication

Please confirm whether your use cases are covered by the integration guides.

- Krish

Timothy Abbott · ‎07-11-2018

All 4 scenarios you describe are active authentications and do not require passive ID to be enabled. ISE will publish the username to the session directory topic in pxGrid. FMC can subscribe to this topic to get the user to IP mapping and then enforce policy. Passive ID is ideally used in scenarios when 802.1X is not in use and we need to rely on AD to get the user to IP mapping. Since ISE is the authentication server in your scenarios, it will have that information and will only need AD to ensure the credentials (username / pass) are valid.

Regards,

-Tim

umahar · ‎07-12-2018

Thank You all for you response.

Below are my observations when I tried to use machine auth with passive identity.

I see two events on pxGrid with the same session id.

The first session is via machine authentication and the second is via WMI.

When I look at the identity endpoint under context visibility I only see the machine name.

However I see the username via passive identity in live logs.

hslai · ‎07-12-2018

FMC is using info derived from ISE session directory but not those from ISE Context Visibility.

FMC needs username + domain to use the user identity and it overwrites the previous info if newer received about the IP.

Please note a known issue -- CSCvk13999