Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
205
Views
0
Helpful
1
Replies

Secure Connect, FMC, ISE, pxGrid, and trying to make user policies

GilR
Level 1
Level 1

‎07-30-2025 01:55 PM

Secure Connect Client 5.1.10
Secure FMC 7.4.2.3
ISE 3.3 Patch 7

We have Secure Client users connecting to a secure client profile which sends them to ISE to get authenticated against AD. I am trying to deny specific user groups or user SGs from getting to specific subnets.

In order to get IP to User mappings, I have turned on pxGrid and connected FMC and it says it is successful. I have also enabled SXP on ISE and confirmed that FMC shows that it is connected in the connection log as well as the pxGrid subscription log in ISE. However, under Connection Events in FMC, I am not able to see a username associated with my VPN assigned IP address. I get "Not Found." I am able to see the SGTs I have created in ISE in the Access policy I created in FMC under dynamic attributes. When logging in as a user in the targeted SGT, the rule does not hit. 

I can see in the Ops log on ISE that I am pulling the SGT I am supposed to based on the Auth policy in ISE for my specific VPN profile. 

I then created a Realm in FMC for our AD server and was able to sync the same user groups I have synced in ISE with AD. I created an Identity policy in FMC using that Realm and matched it to the External to Internal security groups to match inbound VPN traffic direction. I applied to it the Access policy we use. I am still not able to see any mappings in Connection Events. I changed the ACL rule to use the specific user groups synced from the AD realm instead of the SGT dynamic attribute. When testing, I am still not able to hit the rule. 

Any help would be appreciated. Thank you so much for reading. Thank you in advance for your time.

 

 

0 Helpful
1 Reply 1

keren75moose
Level 1
Level 1

‎07-31-2025 02:53 AM

We are using Secure Client (5.1.10) to authenticate users via ISE (3.3 Patch 7) using Active Directory credentials, and the users are correctly receiving Security Group Tags (SGTs) based on the authorization policies in ISE. FMC (7.4.2.3) is successfully connected to ISE via pxGrid and SXP, and the SGTs are visible within FMC's access policies. However, we are unable to see user-to-IP mappings in the Connection Events section of FMC, and access control rules based on user groups or SGTs are not being hit. A realm was configured in FMC to sync the same AD groups used in ISE, and an identity policy was applied to match inbound VPN traffic, but user identities are still not being resolved. While all components appear to be connected and functioning individually, the correlation between the user's identity and their assigned IP address is not being made, preventing identity-based access policies from working as intended.     TellPopeyes com

0 Helpful
Customers Also Viewed These Support Documents