Re: Firepower Integration with Cisco Wireless Controller Series

bergonzoni · ‎05-22-2018

Hi,

We are replacing Palo Alto firewall with a Firepower solution.

In our Palo Alto we have this feature enabled:

https://live.paloaltonetworks.com/t5/Integration-Articles/Use-Syslog-Receiver-to-Integrate-with-Cisco-Wireless-Controller/ta-p/52824

This feature permit Palo Alto to known wireless User-IP mapping.

How we can replicate this feature on Firepower?

Thanks.

Marco

Marvin Rhoads · ‎05-22-2018

Firepower cannot consume identity that way.

You have six available methods - via Cisco User Agent, ISE/ISE-PIC, TS Agent, Captive Portal, Remote Access VPN or Traffic-based detection.

More details are found here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/introduction_to_network_discovery_and_identity.html?bookSearch=true#concept_6C9FF477EEB643FD80818C0FAA91DAB3

bergonzoni · ‎06-04-2018

Hi Marvin,

Based on the assumption that ISE know identity information (user\ip mapping) of wireless connected user from Wireless Controller.

Can I use this information to match policy based on user identity on Firepower?

ISE can be share these identity information to Firepower?

Thanks

Marvin Rhoads · ‎06-04-2018

Yes, ISE is a supported identity source which can be used to feed FMC usernames-IP address mapping. You can then use usernames (or, if you also have Active Directory integration configured, AD group membership) within your access control policies.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/control_users_with_ise_ise_pic.html