09-14-2020 09:35 AM
Hope everyone's well! Could someone advise on this please?
We're looking at installing Firepower devices, with ISE-PIC to provide SSO information based on Active Directory users. We need to control and log web access to URLs based on AD username.
From the docs this looks like it will function with machines that are domain members, but many devices in this environment are iphones/android and therefore not domain members. Those particular users do not want to use the captive portal on the Firepower devices, and are currently logging on to the wifi by entering their AD credentials and authenticating via RADIUS on a WIndows AD Domain controller (WPA2 Enterprise). The wifi system they have also supports authenticating directly to Active Directory via a "bind_request".
We have found entries in ISE and Firepower documentation (see below) that indicate that users on Firepower devices cannot be managed if they logged on to RADIUS, LDAP or RSA domain controllers. So this could mean our WIFi users logging on via RADIUS may not be manageable, but what about if they logged on via the AD bind_request? Would that be any different?
The documentation is unclear on this. Technically it's LDAP, but it is a full Active Directory server and not an open-standards LDAP server.
Documentation excerpt:
09-14-2020 10:12 AM
When you use ISE-PIC with passive identity it can pickup user to IP mapping via querying the DC via WMI. If there was a Windows login event, ISE-PIC should be able to pull the data and make it available to Firepower. I am doing this at a customer where they have both Windows users (logging into AD - no ISE directly involved) and other users coming in via an open source NAC solution (PacketFence) that's reporting to ISE-PIC via API.
09-14-2020 10:36 AM
Thank you for sharing your experience on this!
So looks like it should be OK, plus we could look at PacketFence or similar as a backup. I will to find out if this bind_request counts a login event, but you would think so!
Any idea what these references to Firepower not liking logins that happened via LDAP and RADIUS might mean?
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide