ISE EAP-TLS identities send over PxGrid as user

Ezequ!el · ‎12-15-2023

Hi!

We are using ISE to authenticate computers connecting to our LAN using EAP-TLS and share those authenticated identities over PxGrid with 3rd party products.

The problem we are hitting is PxGrid shares those identities as user identities and not as machine identities. Is there any way to influence that?

This is working fine on MAB authenticated computers, as their identities are shared by the PxGrid as machine identity.

Thanks in advance.

ammahend · ‎12-15-2023

can you share a live log detail for your EAP-TLS successful authentication

-hope this helps-

Uli1412 · ‎12-22-2023

Hi,

I am Ezequiel's colleague. All of our clients have these problems.

I hope you mean the following:

Authentication Details

Source Timestamp	2023-12-22 02:26:03.652
Received Timestamp	2023-12-22 02:26:03.652
Policy Server	cisco-ise
Event	5200 Authentication succeeded
Username	pc.local.domain
Endpoint Id	99:62:26:BF:99:D3
Calling Station Id	45-32-99-AD-99-D3
Endpoint Profile	HP-Device
IPv4 Address	10.98.98.98
IPv6 Address	xxxx
Identity Group	Profiled
Audit Session Id	5EA772359700991A8F32A868
Authentication Method	dot1x
Authentication Protocol	EAP-TLS
Service Type	Framed
Network Device	switch123.local.domain
Device Type	All Device Types#SDA
Location	All Locations#GER
NAS IPv4 Address	10.99.99.99
NAS Port Id	GigabitEthernet1/0/1
NAS Port Type	Ethernet
Authorization Profile	Result_SGT123
Security Group	SGT123
Response Time	11 milliseconds

Many thanks and best regards

Uli

hslai · ‎12-28-2023

@Ezequ!el and @Uli1412 The session info sent from ISE via pxGrid does indicate whether the auth sessions resulted from computer/machine auth. Until Firepower able to consume such correctly, please separate the ISE deployments if possible.

Uli1412 · ‎01-10-2024

Hello @hslai

Thanks for your answer!

What do you mean by "seperate the ISE deployments"?