Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
6
Helpful
2
Replies

Machine name overiding user name in ISE to FMC pxGrid communication

Go to solution
RomanMikes95774
Level 1
Level 1

‎02-23-2023 08:00 AM

Folks,

we use ISE PassiveID identity sharing from ISE to FMC for uset-to-ipaddress resolution vis pxGrid. There is also machine dot1x authentication using the sam ISE as Radius/AAA.

It happens that username-to-ipaddress event from ISE PassiveID is sometimes overiden by subsequent machinename-to-ip comming from an ISE radius session, e.g. originated from radus acct. As FMC uses the last logon evet as the most and only relevant the user is overwriten to the machine name for the the given IP/host.

Any solution thoughts how to configure / filter what types of information to send from ISE to FMC?

I know about ISE network filter in FMC - not usable for this.

I know about filter in ISE PassiveID - not usable for this.

User and manchine logon events come from different ISE sources - PassiveID v. Radius session.

Versions: FMC 7.0.4, ISE 3.1

Regards

Roman

 

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎02-23-2023 01:33 PM

hello @RomanMikes95774 , it would appear that you are facing a limitation from the part of FMC please check out this defect link  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd73842 ,you might try to implement the workaround that is within that bug or have different environments one dedicated merely to radius ISE and another to passive id exclusively . 

Let me know if that helped. 

View solution in original post

2 Replies 2

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎02-23-2023 01:33 PM

hello @RomanMikes95774 , it would appear that you are facing a limitation from the part of FMC please check out this defect link  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd73842 ,you might try to implement the workaround that is within that bug or have different environments one dedicated merely to radius ISE and another to passive id exclusively . 

Let me know if that helped. 

Go to solution
RomanMikes95774
Level 1
Level 1
In response to Rodrigo Diaz

‎03-07-2023 01:08 AM

Diaz,

thanks for the reply. I understand the behaviour of FMC user sessions. However still missing 2 points:

1. The machine name detection happens 30 minutes after dot1x session has been established. It most likely comes from a Radius accouniting message. However the switch has default setup of  2880 minutes for periodic accounting updates. What causes generation of the accounting message 30 minutes after access-accept?

2. Other username PassiveID events are recived by ISE some minutes after the machine radius acct. But they are not propagated futher to FMC and are not overiding the machine name in FMC  user session as I would expected. It seems ISE (or FMC) interprets the following username PassiveID events with the same username as updates and not new logon events.

Any thoughts ?

Regards

Roman

 

0 Helpful
Customers Also Viewed These Support Documents