07-21-2022 12:19 PM
Hello Everyone,
As Cisco has announced EOL for FMC-User Agent functionality for versions 6.6 and above. We are trying to migrate to Cisco ISE to capture user logon information. While reviewing the document: Firepower Management Center Configuration Guide, Version 6.3 - Control Users with ISE/ISE-PIC [Cisco Secure Firewall Management Center] - Cisco
there is a note which states that:
"The Firepower System does not parse IEEE 802.1x machine authentication but it does parse 802.1x user authentication. If you are using 802.1x with ISE, you must include user authentication. 802.1x machine authentication will not provide a user identity to the FMC that can be used in policy."
Currently we are using TEAP method of authentication which uses User and Machine identity in a single tunnel to authenticate the users. Will the User-Agent migration to Cisco ISE work for our current scenario as in the above statement, the FMC only parses 802.1x user authentication and ignores machine authentication?
08-15-2022 04:32 PM
Hopefully it will work but hard to know exactly how the FMC parser works without testing it.
Did you ever find out?
02-01-2023 11:47 PM
Hi Nikhil,
Just wondering whether machine auth is working in your setup.
Brief info on my setup:
In the FMC, we can see the User to IP mapping for clients with Device Auth. However, an identity-based policy not working for users with device auth.
Users with PEAP auth do work fine with the identity-based rules. So, it confirms that PxGrid is working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide