Solved: Re: Cisco 3140 with User Identity

packet2020 · ‎07-01-2023

Hi All,

I'm currently deploying a couple of Cisco 3140 firewalls that I need to setup to use user identity so that I can configure access polices using AD users/groups. When I looked at this previously, this used an agent on AD however this has since changed.

We have an ISE implementation, however our devices currently only authenticate using machine cert, not user, so ISE has no visibility of the user to match against AD. We are looking at deploying user certs, however this will take time.

I have looked at the various guides and I think that I can integrate ISE with AD using WMI to pull Windows security events that can then be published to FMC/FTD via pxGrid. Is this a common recommended approach if I cant get user info from network authentication events?

Rob Ingram · ‎07-02-2023

@packet2020 its ISE that will derive the username from the certificate, use a "Certificate Authentication Profile" (CAP) and select which certificate attribute (i.e. Subject - Common Name or whatever you select) is used for the username. Example - https://integratingit.wordpress.com/2022/04/17/ise-certificate-authentication/

Once authentication ISE will create a username/IP binding, this binding is sent to the FMC.

View solution in original post

Rob Ingram · ‎07-02-2023

@packet2020 yes you could use ISE PassiveID to learn user login/logoff events from AD which can be sent to the FMC/FTD. I've used PassiveID before (a long time ago), in my experience its not as common as deploying 802.1X.

Relevant guides:-
https://community.cisco.com/t5/security-knowledge-base/ise-easy-connect/ta-p/3638861
https://integratingit.wordpress.com/2019/10/26/ftd-user-identity/
https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/

packet2020 · ‎07-02-2023

Hi Rob,

Thanks for the reply. I will take a look a enabling Passive ID in the short term whist we look at rolling out user certificates for 802.1X

One question regarding User Identity and 802.1X EAP-TLS authentication - I assume that FMC will simply derive the username of the session from the username that is presented in the certificate Subject Common Name or SAN field? This behavior is understood when using PEAP-MSCHAP for authentication, however there are no documents that clearly describe how user identity works if EAP-TLS is used for 802.1X authentication.

Rob Ingram · ‎07-02-2023

@packet2020 its ISE that will derive the username from the certificate, use a "Certificate Authentication Profile" (CAP) and select which certificate attribute (i.e. Subject - Common Name or whatever you select) is used for the username. Example - https://integratingit.wordpress.com/2022/04/17/ise-certificate-authentication/

Once authentication ISE will create a username/IP binding, this binding is sent to the FMC.

Aref Alsouqi · ‎07-02-2023

One thing I would keep in mind is that with Microsoft patch KB5014692 WMI won't work for the passive ID anymore. I had to move customers deployments from WMI to the passive ID agent for that reason.

Marvin Rhoads · ‎07-03-2023

Like @Rob Ingram and @Aref Alsouqi suggested, you have the options of:

a. pulling the username from their certificte via the CAP and/or

b. Using PassiveID. Use with with the Agent option (not WMI) and it works fine with even the latest Windows server versions. WMI has always been troublesome and, even when you get it to work, Microsoft seems to find something new about it that's vulnerable and breaks it for you on some random Patch Tuesday.

You can use both options and have more complete coverage of your endpoints' associated user identities.