FMC/FTD Identity Awareness query about user to ip mappings

rcullum · ‎07-10-2020

We setup our FMC (6.4) to be a Pxgrid subscriber to Cisco ISE. ISE has several agents inastalled to retrieve user-to-ip mappings. I can't seem to find any information about how often:

1/ ISE pushes user to ip mappings to the FMC

2/ How does an FTD retrieve the user to ip mapping for a rule? Does it look up every time against FMC when the an access-policy rule has a group/or user mapped to the rule or does it keep a local cache of user-to-ip mappings? How often is the cache updated? What if a username has logged on different machines so has several user to ip mappings?

Can anyone help with this information? Thanks.

Rob Ingram · ‎07-10-2020

Hi,
When pxGrid integration is setup between ISE and the FMC, the IP/Username/SGT bindings are dynamically pushed to the FMC whenever a user logins. The FMC will receive these bindings updates within seconds. The bindings are store on the FMC/FTD as default for 24 hours (configurable).

For testing, on the FMC run the command adi_cli session to confirm the bindings being received on the FMC. Use this guide for more information on configuration and troubleshooting.

elemzy · ‎11-30-2021

Hi Rob,

Your response does not include an answer to if FTD stores the user in its local cache or has to query FMC for every session. This will help understand what happens when FTD loses connectivity to FMC. Please share any relevant documents.