cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3748
Views
0
Helpful
3
Replies

FMC ISE Integration - SGT

Daniel Lucas
Level 1
Level 1

ISE version 2.1

FMC version 6.1

Running into an issue getting SGT mappings to be pushed to the sensors from my FMC. I believe I have identified the issue, but wanted to see if anyone has ran into this before or got it working.

Here is what I am experiencing:

User connects to wireless, and authenticates using EAP-FAST (user+machine)

ISE assigns an SGT per AuthZ policy

FMC gets user/machine login event and SGT from ISE (screenshot below)

FMC doesn't push the SGT mapping to the sensors - I believe because the username received from ISE is in the form of '<username>/host/<machine>', and it isn't able to find that in the AD Realm. (screenshot below)

If I authenticate using just username and not machine (PEAP+MSCHAPv2 for example) everything works as expected - FMC gets SGT, pushes to sensor, Access Control Policy applied properly.

I found a bug that is kinda related to what I am seeing, but the workaround listed is basically what I am already doing. CSCvd73842

Screenshots:

1.PNG2.PNG

Any thoughts or experience is appreciated.

 

-Thanks

1 Accepted Solution

Accepted Solutions

vlmacko
Level 1
Level 1

Hi,

before Firepower 6.2.0 you need to have Realm, which validate username received from ISE and after that there was pushed mapping SGT-IP to FTD device. As you write you are running 6.1 ..

After 6.2.0 you don't need realm to validate username to be able push SGT-IP mapping to device ..

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html

...check Table1

 

Because you are using EAP-FAST (user+device), FMC see all that string as one "user" ID, and this is not in AD at all. Actually there is no way how to validate EAP-FAST identity (user+device) against any Realm (there is no possibility of parsing identity on FMC (received by pxgrid) nor ISE platform (before pxgrid)..).

(I am in same situation .. lot of discussions with Cisco SE about that... no solution till now).

 

If it is enougth for you use SGT tags in ACL, it can be useful migrate to 6.2.0 or later.

Regards,

Vladimir

 

View solution in original post

3 Replies 3

vlmacko
Level 1
Level 1

Hi,

before Firepower 6.2.0 you need to have Realm, which validate username received from ISE and after that there was pushed mapping SGT-IP to FTD device. As you write you are running 6.1 ..

After 6.2.0 you don't need realm to validate username to be able push SGT-IP mapping to device ..

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html

...check Table1

 

Because you are using EAP-FAST (user+device), FMC see all that string as one "user" ID, and this is not in AD at all. Actually there is no way how to validate EAP-FAST identity (user+device) against any Realm (there is no possibility of parsing identity on FMC (received by pxgrid) nor ISE platform (before pxgrid)..).

(I am in same situation .. lot of discussions with Cisco SE about that... no solution till now).

 

If it is enougth for you use SGT tags in ACL, it can be useful migrate to 6.2.0 or later.

Regards,

Vladimir

 

Hello,

 

I kinda have same problem with 6.4.0.x, SGT tags assigned to ISE but no TAG passed to FMC.
But this doesn't apply to everybody, just some clients randomly and we suspect it's something hidden inside it's network.
I just don't know how to provide a good troubleshoot apart from dump_user file in FTD and grepping vdi.radius on /var/log/messages

@belgarioz you can use the commands adi_cli session and OmniQuery.pl. Guide here.

Review Cisco Networking for a $25 gift card