Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
1
Replies

ISE-PIC support for multiple tenants with FMC

dadelima
Cisco Employee
Cisco Employee

‎06-13-2018 06:03 AM

Hi Team,

I have multiple tenants (government agencies) that are managed by a single FMC (and multiple FTD instances per tenant).  Each tenant has overlapping addressing and NAT is used heavily to present FMC with unique address space as well as for routing their traffic up to a shared Internet Gateway.

There is a requirement to use identity-based AC policy rules in FMC/FTD.

What is the best way to provide user/IP mappings via ISE-PIC??

Can a single ISE-PIC support AD Forest/Domain connections to multiple tenants??

How would ISE-PIC present the IP mappings?? (ie would it be the original un-NAT'd IP??).  If so, how does FMC interpret the potentially overlapping user/IP mappings from ISE-PIC if mapped to a single realm thats mapped to a single identity policy to a single AC policy??

Thanks and kind regards,


Dave.

0 Helpful
1 Reply 1

Nidhi
Cisco Employee
Cisco Employee

‎06-13-2018 08:24 AM

Hello Dave,

ISE-PIC supports 100 DC today. FMC gets to know about the group mapping learnt from AD.

you can verify in ISE under live sessions and check  the  IP mapping which is sent to FMC via PxGrid.

Please find more details from the link here- https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210522-Configure-ISE-2-2-PIC-with-Active…

Thanks,

Nidhi

0 Helpful
Customers Also Viewed These Support Documents