I'm running ISE 2.0-306 and FMC 6.0.1-1214 which I have the set up in the lab for customer PoV.
Test case 1: User visibility and access control for 802.1x users (PASSED)
- FMC connected to ISE via pxGrid successfully
- Passive Auth was enabled on FMC
- 802.1x authenticated users information were displayed on FMC connection event table (This shows that pxGrid is working)
- FMC successfully blocked user access based on AD group.
Test case 2: User visibility and access control for non-802.1x users using ID Mapping (FAILED)
- FMC connected to ISE via pxGrid successfully
- -Passive Auth was enabled on FMC
- Users logon to AD (non-802.1x) and I could see an ID Mapping event captured on ISE Radius Live session window.
- However, no user information were displayed on FMC connection event table even though pxGrid was working
- FMC failed to block user access based on AD group.
I read from the user guide that AD login information can be shared by ISE ID Mapping module to FMC (pxGrid subscriber) via pxGrid:
"The Identity Mapping component retrieves the user logins from the Domain Controller and imports them into the Cisco ISE session directory. So users authenticated with Active Directory (AD) are shown in the Cisco ISE live sessions view, and can be queried from the session directory using Cisco pxGrid interface by third-party applications. The known information is the user name, IP address, and the AD DC host name and the AD DC NetBios name. The Cisco ISE plays only a passive role and does not perform the authentication. When Identity Mapping is active, Cisco ISE collects the login information from the AD and includes the data into the session directory.”
A couple of questions here,
1) Are there any command on ISE allow us to check via the User-to-IP mapping table?
2) How do we verify that User-to-IP mapping table on ISE shared with FMC?
3) How frequent FMC pulls from ISE or ISE push session directory information to FMC?
Are we missing anything from configuration wise?
How do we troubleshoot from here?
Regards, CK
