Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3747
Views
0
Helpful
3
Replies

FMC ISE Integration - SGT

Go to solution
Daniel Lucas
Level 1
Level 1

‎02-08-2019 11:25 AM - edited ‎02-21-2020 08:47 AM

ISE version 2.1

FMC version 6.1

Running into an issue getting SGT mappings to be pushed to the sensors from my FMC. I believe I have identified the issue, but wanted to see if anyone has ran into this before or got it working.

Here is what I am experiencing:

User connects to wireless, and authenticates using EAP-FAST (user+machine)

ISE assigns an SGT per AuthZ policy

FMC gets user/machine login event and SGT from ISE (screenshot below)

FMC doesn't push the SGT mapping to the sensors - I believe because the username received from ISE is in the form of '<username>/host/<machine>', and it isn't able to find that in the AD Realm. (screenshot below)

If I authenticate using just username and not machine (PEAP+MSCHAPv2 for example) everything works as expected - FMC gets SGT, pushes to sensor, Access Control Policy applied properly.

I found a bug that is kinda related to what I am seeing, but the workaround listed is basically what I am already doing. CSCvd73842

Screenshots:

1.PNG2.PNG

Any thoughts or experience is appreciated.

 

-Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vlmacko
Level 1
Level 1

‎04-24-2019 04:01 AM

Hi,

before Firepower 6.2.0 you need to have Realm, which validate username received from ISE and after that there was pushed mapping SGT-IP to FTD device. As you write you are running 6.1 ..

After 6.2.0 you don't need realm to validate username to be able push SGT-IP mapping to device ..

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html

...check Table1

 

Because you are using EAP-FAST (user+device), FMC see all that string as one "user" ID, and this is not in AD at all. Actually there is no way how to validate EAP-FAST identity (user+device) against any Realm (there is no possibility of parsing identity on FMC (received by pxgrid) nor ISE platform (before pxgrid)..).

(I am in same situation .. lot of discussions with Cisco SE about that... no solution till now).

 

If it is enougth for you use SGT tags in ACL, it can be useful migrate to 6.2.0 or later.

Regards,

Vladimir

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
vlmacko
Level 1
Level 1

‎04-24-2019 04:01 AM

Hi,

before Firepower 6.2.0 you need to have Realm, which validate username received from ISE and after that there was pushed mapping SGT-IP to FTD device. As you write you are running 6.1 ..

After 6.2.0 you don't need realm to validate username to be able push SGT-IP mapping to device ..

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html

...check Table1

 

Because you are using EAP-FAST (user+device), FMC see all that string as one "user" ID, and this is not in AD at all. Actually there is no way how to validate EAP-FAST identity (user+device) against any Realm (there is no possibility of parsing identity on FMC (received by pxgrid) nor ISE platform (before pxgrid)..).

(I am in same situation .. lot of discussions with Cisco SE about that... no solution till now).

 

If it is enougth for you use SGT tags in ACL, it can be useful migrate to 6.2.0 or later.

Regards,

Vladimir

 

0 Helpful

Go to solution
belgarioz
Level 1
Level 1
In response to vlmacko

‎10-31-2019 03:07 AM

Hello,

 

I kinda have same problem with 6.4.0.x, SGT tags assigned to ISE but no TAG passed to FMC.
But this doesn't apply to everybody, just some clients randomly and we suspect it's something hidden inside it's network.
I just don't know how to provide a good troubleshoot apart from dump_user file in FTD and grepping vdi.radius on /var/log/messages

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to belgarioz

‎10-31-2019 04:25 AM

@belgarioz you can use the commands adi_cli session and OmniQuery.pl. Guide here.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card