Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
10
Helpful
4
Replies

Firepower - IP to user mapping

Go to solution
alexandro.angel@softtek.com
Level 1
Level 1

‎12-08-2020 06:39 PM

Hello team,

I'm aware that in the past in order to achieve user to ip mappings you could implement the User Agent, even if you didn't have FMC you could integrate the Firepower module through ASDM directly to the User Agent. And then to perform the Realm integration in ASDM in order to be able to configure Access Control Policies based on AD Users... Which means that in the past it was pretty straight forward and cheap for customers to implement all of this without the need of acquiring FMC.

However, I just realized today that User Agent became obsolete and that the new path is to implement ISE-PIC and FMC as Subscriber.

So, it's clear to me that customers will need to pay for ISE-PIC licensing... But my only question is, do we need to forcibly acquire FMC as well? Has someone tried to integrate the Firepower module through ASDM directly to ISE-PIC?

In fact, I also found some documentation saying that customers with FMC and active support contracts would be eligible to receive ISE-PIC at no cost... So, my second question is will this apply as well for new purchases i.e. customers just paying for FMC and getting ISE-PIC for free? Or was that just for existing FMC deployments?

Any feedback will be appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎12-09-2020 02:57 AM

Hi,

ASA Firepower Module can support ISE-PIC as an identity source. Here is the
reference.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/asa-fp-services/asafps-local-mgmt-config-guide-v66/user_identity_sources.html

With regards to license, AFAIK you need to buy ISE-PIC separately from FMC
license for first time user. This is what I faced

***** please remember to rate useful posts

View solution in original post

4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-09-2020 02:49 AM - edited ‎12-09-2020 09:56 PM

ISE-PIC is only free for customers with FMC hardware appliances or FMCv300.

You can integrate ISE-PIC for identity either via FMC, via FRM (for FTD devices).

For someone with a Firepower service module on an ASA and no FMC, I don't believe you can integrate either ISE or ISE-PIC as an external identity source. that goes for both the ASA as well as the Firepower service module.

Correction - see later posting by @Mohammed al Baqari 

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎12-09-2020 02:57 AM

Hi,

ASA Firepower Module can support ISE-PIC as an identity source. Here is the
reference.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/asa-fp-services/asafps-local-mgmt-config-guide-v66/user_identity_sources.html

With regards to license, AFAIK you need to buy ISE-PIC separately from FMC
license for first time user. This is what I faced

***** please remember to rate useful posts

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mohammed al Baqari

‎12-09-2020 09:55 PM

Thanks for that correction @Mohammed al Baqari

I didn't realize the Firepower service module could use ISE-PIC when it's ASDM-managed.

0 Helpful

Go to solution
alexandro.angel@softtek.com
Level 1
Level 1

‎12-09-2020 07:03 AM

Thanks for your feedback and documentation guys, then I'll encourage customers to acquire ISE-PIC licensing as well on Firepower deployments.

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card