06-18-2018 05:39 AM - edited 02-21-2020 10:58 AM
Hello everyone,
I'm working to have the user FMC user authentication through cisco ISE (with AD), but I cannot find a proper documentation, just some old stuff like https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html .
Does anyone has a proper example about how this must be done?
ISE is on version 2.2 (already integrated with AD0, FMC on 6.2.3.1.
Thank you!
Best regards.
Solved! Go to Solution.
11-15-2019 12:14 PM
Hello, I was just wondering if you ever got your "authentication is successful, but the user role assignment is NOT working" working. I can get full access to work but I am trying to get a read-only one working. Seems like they are all logging in as administrators. Thanks!
11-17-2019 09:55 AM
11-18-2019 08:50 AM
Yes, you are correct, my default is admin. I have not created access profiles in ISE. I will try that. Thanks for the reply and help.
11-18-2019 09:07 AM
So I have this as my authorization result and still not working. Is there something else I need to do? Thanks again for the help!
11-19-2019 04:36 AM
11-21-2019 12:08 PM
Thanks for the follow-up and help. I am getting closer but not quite there.
So these are my ISE authorization profiles in ISE.
Created these users on the FMC
Do I set these custom roles as default users or something else? Didn't seem to work as expected but wondering if I can get your help?
Thanks in advance
12-02-2019 01:22 PM
@4qbuddy Wondering if you can help me with this last step so I can cross this off my to-do list? Thanks in advance.
12-03-2019 04:35 AM
I see what you have done. You have created custom user roles on FMC. This is like creating another user on ISE for logging in to the GUI – its only controlled by ISE and not by an external authority like AD, if that makes sense?
Rather than create usernames for the ISE roles being passed, tick the checkboxes for “Administrator” and “Security Analyst (Read Only)” that are on your bottom picture. Its different layout than mine but I would imagine that a box appears where you can add “Class = Cisco_FMC_Admin” and “Class = Cisco_FMC_ReadOnly”.
Try it out, let me know
12-03-2019 02:17 PM - edited 12-03-2019 02:18 PM
I got this working today and want to put an update on here to maybe help others.
Create your authorization profile in ISE
Then on FMC side, go to users, external authentication, and add the following.
Now any user part of that AD group will have Admin access. At the bottom, I changed my default user role to read-only. You could create more ISE authorization profiles as needed if you have more roles. Hope this helps!
Thanks for your help also @4qbuddy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide