Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
970
Views
3
Helpful
7
Replies

ISE cannot sent TS port range to FMC

Go to solution
csco11552159
Level 5
Level 5

‎07-06-2018 11:48 AM

i got TS agent working with ISE 2.2 .

on ISE 2.2, I can see the User ID, IP and Port range mapping in live session table.

sl.JPG

But on FMC, it doesnt show these information.

slfmc.JPG

If i use TS agent directly sent to FMC, it will work.

Is this some kind of  bug between ISE and FMC?

Because TS agent only allow to send mapping to 2 servers, if we need to see all user identity information on ISE and also works on FMC, so we have to send to both ISE and FMC, we will lose redundancy.

it doesnt make sense.

1 Accepted Solution

Accepted Solutions

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to hslai

‎07-06-2018 04:09 PM

Hey Chao,

Hsing-Tsu is correct, this is expected behavior.  Please see: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html

"If the TS Agent monitors the same users as another passive authentication identity source (the User Agent or ISE), the Firepower Management Center prioritizes the TS Agent data. If the TS Agent and a passive identity source report activity by the same IP address, only the TS Agent data is logged to the Firepower Management Center"

Thanks,

John

jeppich@cisco.com

View solution in original post

7 Replies 7

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-06-2018 02:23 PM

I think it might be expected at present. I will check with our teams.

0 Helpful

Go to solution
csco11552159
Level 5
Level 5
In response to hslai

‎07-06-2018 02:36 PM

Thank you.

and on FMC, in this way will only keep the last user login.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to csco11552159

‎07-06-2018 04:08 PM

Some info from our PM indicated that our teams are still working on this to make it more consumable.

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to hslai

‎07-06-2018 04:09 PM

Hey Chao,

Hsing-Tsu is correct, this is expected behavior.  Please see: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html

"If the TS Agent monitors the same users as another passive authentication identity source (the User Agent or ISE), the Firepower Management Center prioritizes the TS Agent data. If the TS Agent and a passive identity source report activity by the same IP address, only the TS Agent data is logged to the Firepower Management Center"

Thanks,

John

jeppich@cisco.com

Go to solution
csco11552159
Level 5
Level 5
In response to jeppich

‎07-06-2018 07:00 PM

hi John & Hsing-Tsu,

So in order FMC to have correct User ID, port and IP mapping, TS-Agent directly send to FMC? like this:

TS-Agent--->FMC

ISE---(pxgrid)--->FMC

the way we try to do is : 

TS-Agent--->ISE ----(pxgrid)--->FMC.

We can use TS-Agent to send mapping to ISE, then we should easily send all ID mapping to FMC via pxgrid including regular mapping and TS ports mapping. this more make sense.

Will this way work?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to csco11552159

‎07-06-2018 07:51 PM

Unfortunately it's not quite there yet.

I would suggest you to use TS-Agent => FMC for now, while the solution is still being evolved and developed for the other route.

Go to solution
csco11552159
Level 5
Level 5
In response to hslai

‎07-10-2018 06:04 AM

thank you.

i will send to FMC for now. hopefully some changes coming soon.

0 Helpful
Customers Also Viewed These Support Documents