Solved: Re: SGT pxGrid with FMC and ISE

paul · ‎04-05-2017

I am testing pxGrid with ISE and FMC/FTD. I have FMC joined to pxGrid and I can see all my SGTs and Profiling groups for use in my firewall policies. I can add new SGT tags and they automatically show up in ISE.

I have tested building a rule that allowed Apple-Devices to access the Internet on my FTD firewall. I also have an rule to allow a particular SGT tag to access the Internet. I can't get either of these rules working.

All the documents I talk about configuring realms and host discovery in FMC, but why is that needed if I just want to use data from ISE? The other thing I saw is this in the documents:

"FMC does not push all User-IP mapping entries to sensors. For FMC to push mapping, it must first have knowledge of the user through the Realm. If the user in the session is not part of the Realm, sensors will not learn the mapping information of this user. Support for non-Realm users is considered for future releases."

So if I am SGT tagging a non-user device there is no support for that? I am trying to mock up a PSK SSID with MAC filtering for different medical devices. I want ISE to profile them into different classes of devices and then my AuthZ rules will apply a corresponding SGT tag. I have all the ISE logic done and SGT tag is being applied, but I can't use the SGT tag or profiling group to work on my FTD.

I am hoping that I am missing something obvious.

paul · ‎04-06-2017

Just to follow up on this. With FMC 6.2 there is no realm requirement for SGT/pxGrid information coming from ISE so any tag can be used. I was able to successfully build firewall policies using SGT tags and profiling groups from ISE without any realms in FMC.

Good stuff.

View solution in original post

jeppich · ‎04-05-2017

Hey Paul,

You meed to have the Relam configured on FMC for ISE passive authentication. Add an ISE Passsive identity rule and add this to your FMC access policy.

Also this only applies to user authentication only. Correct i don't think there is support for non-user device tags.

I would like to get more information, please email me.

Thanks,

John

jeppich@cisco.com

paul · ‎04-06-2017

Just to follow up on this. With FMC 6.2 there is no realm requirement for SGT/pxGrid information coming from ISE so any tag can be used. I was able to successfully build firewall policies using SGT tags and profiling groups from ISE without any realms in FMC.

Good stuff.

eleevercl · ‎04-19-2020

Im kind of getting tehe same issue wherein im trying to propagate my SGTs from my FTD VPN FW and engress out to my Nexus Core Switches and then reach certain destination in my other FTD.

The advice that i have got from CTS Team is that, i should allow my SGT propagation from the engress direction of my FTD VPN FW to towards my Nexus Core Switches. Another issue that was mentioned is that, our Core Switches (Nexus 9k) is not capable to handle SGT frame hence, it will drop the traffic.

My understanding so far, if your FTDs are subscribed in PxGrid, manual CTS SGT propagation is not needed since manually configuring the CTS is only for IN-LINE deployment? So, when the traffic from my FTD VPN FW engress out towards my Nexus Core, it should just carry the traffic to the other PxGrid subscriber and then my other FTD should able to pick up the SGT and process the policy?

Do i really need to create a realm for this scenario? not really how to setup it up, but more than willing to learn.

Ustapon · ‎08-20-2020

Could you please suggest me ? i also have this problem too ?