Migrating TEAP users from FMC-User Agent to Cisco ISE

Nikhil Jadhav · ‎07-21-2022

Hello Everyone,

As Cisco has announced EOL for FMC-User Agent functionality for versions 6.6 and above. We are trying to migrate to Cisco ISE to capture user logon information. While reviewing the document: Firepower Management Center Configuration Guide, Version 6.3 - Control Users with ISE/ISE-PIC [Cisco Secure Firewall Management Center] - Cisco

there is a note which states that:

"The Firepower System does not parse IEEE 802.1x machine authentication but it does parse 802.1x user authentication. If you are using 802.1x with ISE, you must include user authentication. 802.1x machine authentication will not provide a user identity to the FMC that can be used in policy."

Currently we are using TEAP method of authentication which uses User and Machine identity in a single tunnel to authenticate the users. Will the User-Agent migration to Cisco ISE work for our current scenario as in the above statement, the FMC only parses 802.1x user authentication and ignores machine authentication?

thomas · ‎08-15-2022

Hopefully it will work but hard to know exactly how the FMC parser works without testing it.

Did you ever find out?

~Saj~ · ‎02-01-2023

Hi Nikhil,

Just wondering whether machine auth is working in your setup.

Brief info on my setup:

Windows desktops authenticate using the device auth cert to ISE
Passive ID using to get the User to IP mappings from AD
The same information is passed to FMC through the PxGrid

In the FMC, we can see the User to IP mapping for clients with Device Auth. However, an identity-based policy not working for users with device auth.

why can FMC not execute an identity-based rule when the User to IP mapping details are available?
Is there any way to check the user to ip mapping information in the FMC?
What is the logic FMC use to decide which log to be considered? is it the latest log win?

Users with PEAP auth do work fine with the identity-based rules. So, it confirms that PxGrid is working fine.

mstraessle · ‎10-22-2025

Hi Nikhil

Have you been able to get it run?

I have been on the same setup Saj mentioned: 802.1x with Device Cert und passiveID Agent for user. But this was never realy successful since the passiveID Agent was too slow for roaming clients and the User ID was lost to often to have a strong realiable solution. So I deciced to go for TEAP with Device and User Certs using ISE for WiFi, LAN and Remote Access.

Unfortunatly with that, it looks like FMC/FTD is no more able to find the correct User anymore, since the Username displayed on FMC is always in the format: "user@domain.com,MACHINEID". This cannot be mapped with the corresponding AD-group configured in the Realm. So I wonder waht is the correct way to use User Certs for ID Based FW using TEAP as 802.1x...

Chloeharper · ‎10-22-2025

Hey all am jumping in here because this exact scenario is on my radar too: migrating users from FMC User Agent to Cisco ISE (TEAP users specifically).

Couple of things that are bothering me:

When migrating does the user experience change (certificates, login prompts, etc.)?
Are there any gotchas around existing devices (laptops, phones) that were already set up with FMC User Agent?
Also in your experience how much downtime or service hiccup should we expect during the switch-over?

Would love to hear from someone who’s done this live what surprised you, what you wished you’d done differently.

Thanks!

Chloe Harper | ARZ Host Team
Helping users with reliable and scalable hosting solutions — arzhost.com

Support: support@arzhost.com