Integration is working correcly. I can see FMC in ISE Administration > PxGrid > Client management a Enabled status.

The setup is still moving to production only, so there's no traffic yet coming to FTD/FMC. How do we ensure the configuration is correct.
I have created an access policy in FTD calling the SGT created in ISE, in FMC source network (in access policy)

@manvik you'd need to authenticate devices to the network, ISE will then dynamically send the bindings to the FMC, that command above would show the bindings when they've been sent. If the solution is still in dev and no users have been authenticated by ISE, then there would be no bindings.

From the FMC you could run the command cat /var/sf/run/adi-health will provide information on the state of the configuration (up or down), but still they won't be any bindings.

@manvik for each endpoint authenticated by ISE, it will send the user/IP/SGT bindings to the FMC. These bindings are stored in a database and forwarded to the FTDs. If you have no active user sessions authenticated by ISE, there will be no mappings in the database. Connect a test device to the network, authenticate it and use the command provided above to confirm and entry is received by the FMC/FTD. More verification commands to use here.

i connected few radius devices and the command "adi_cli session" shows attached screenshot results. There are two IP in the result, should be NAD switch and endpoint laptop. How FMC would apply the endpoint IP/MAC address alone from this result.

@manvik the FTD would now have the IP/SGT binding, so in your Access Control Policy you create rules based on the SGT. When you test the rules, from the CLI of the FTD run the command system support firewall-engine-debug this will confirm which rule you are matching and also confirm the SGT.

thank you, is there any way to see the FTD access policy action or the IP that are included in the SGT without any client traffic reaching FTD. Currently FTD is in isolated network, not moved to live network.
wanted to make sure the config works before moving to live network.

@manvik

If you can see the SGTs from the FMC GUI and reference them in the Access Control rule, then you know that functionality is work. You can tun the command show access-control-config from the CLI of the FTD, which will show you the deployed Access Control rule configuration including the SGT referenced in the rule.

You can check the Snort user_identity file to confirm the IP/SGT mappings

• Use the following command to send a query to Snort: > system support firewall-engine-dump-user-identity-data
• Enter expert mode, run the command expert
• Run the command cd /var/sf/detection_engines/<UID>/<instance>
• Run the command sudo cat user_identity.dump