Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
878
Views
0
Helpful
2
Replies

Migrating TEAP users from FMC-User Agent to Cisco ISE

Nikhil Jadhav
Level 1
Level 1

‎07-21-2022 12:19 PM

Hello Everyone,

As Cisco has announced EOL for FMC-User Agent functionality for versions 6.6 and above. We are trying to migrate to Cisco ISE to capture user logon information. While reviewing the document: Firepower Management Center Configuration Guide, Version 6.3 - Control Users with ISE/ISE-PIC [Cisco Secure Firewall Management Center] - Cisco

 

there is a note which states that:

"The Firepower System does not parse IEEE 802.1x machine authentication but it does parse 802.1x user authentication. If you are using 802.1x with ISE, you must include user authentication. 802.1x machine authentication will not provide a user identity to the FMC that can be used in policy."

Currently we are using TEAP method of authentication which uses User and Machine identity in a single tunnel to authenticate the users. Will the User-Agent migration to Cisco ISE work for our current scenario as in the above statement, the FMC only parses 802.1x user authentication and ignores machine authentication?

0 Helpful
2 Replies 2

thomas
Cisco Employee
Cisco Employee

‎08-15-2022 04:32 PM

Hopefully it will work but hard to know exactly how the FMC parser works without testing it.

Did you ever find out?

0 Helpful

~Saj~
Level 1
Level 1

‎02-01-2023 11:47 PM

Hi Nikhil,

Just wondering whether machine auth is working in your setup. 

Brief info on my setup:

  • Windows desktops authenticate using the device auth cert to ISE
  • Passive ID using to get the User to IP mappings from AD
  • The same information is passed to FMC through the PxGrid

In the FMC, we can see the User to IP mapping for clients with Device Auth. However, an identity-based policy not working for users with device auth.

  1. why can FMC not execute an identity-based rule when the User to IP mapping details are available?
  2. Is there any way to check the user to ip mapping information in the FMC?
  3. What is the logic FMC use to decide which log to be considered? is it the latest log win?

Users with PEAP auth do work fine with the identity-based rules. So, it confirms that PxGrid is working fine.

0 Helpful
Customers Also Viewed These Support Documents