Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4485
Views
0
Helpful
12
Replies

FMC with Identity Policy using Azure AD

Go to solution
dm2020
Level 1
Level 1

‎01-09-2023 02:07 AM

Hi All,

We are currently running FMC and FTD with user identity access control polices. FMC is integrated with ISE, which in turn is integrated with our on-premises Microsoft Active Directing domain using WMI so that user to IP mappings can be passed to FMC from windows security events. This is all working ok.

We are now in the process of migrating devices and users to Azure AD. We have tested 802.1X EAP-TLS wired and wireless authentication for Azure users with ISE and this is working without any issues. We now need to test identity polices, however I dont think that will work as even if ISE publishes the Azure AD user to pxGrid (captured from the certificate CN user@xxx.onmicrosoft.com), FMC will not be able to lookup the user to confirm group membership etc as the Realm configuration only support AD or LDAP sources.

Is support for FMC integration with Azure AD on the roadmap? Are there any workarounds to support this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dm2020

‎01-10-2023 08:21 AM

@dm2020 for the longer term, we hope to see Azure AD realm type added in release 7.4 later this year.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-09-2023 06:45 AM

My customers needing this have a local AD DC synced to Azure. FMC is then integrated with the AD realm via that DC.

0 Helpful

Go to solution
dm2020
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2023 09:59 AM

Thanks @Marvin Rhoads 

This may work as a temporary solution, however long term we want to move away from on-prem Microsoft AD and use Azure only. To support this I assume that FMC will need to support direct integration with Azure (like how ISE does today) to be able to query user to group membership? 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dm2020

‎01-10-2023 08:21 AM

@dm2020 for the longer term, we hope to see Azure AD realm type added in release 7.4 later this year.

0 Helpful

Go to solution
dm2020
Level 1
Level 1
In response to Marvin Rhoads

‎01-10-2023 04:11 PM

Thanks @Marvin Rhoads - Good to know that this feature is on the roadmap. Appreciated

0 Helpful

Go to solution
nic-m
Level 1
Level 1
In response to Marvin Rhoads

‎06-23-2023 09:01 AM

Hi Marvin, sorry if I ask you directly and please, let me know if it's better to open another thread but I'm currently stuck on this. May you please explain me a little more this configuration? I'm currently trying (at least I presume) to do exactly the same. Local AD is configured as Realm under FMC and used in identity policy (locally we use passive auth with passive identities provided by ISE-PIC, no full ISE installation in place), local AD is synchronized to Azure AD. I configured a Remote Access VPN connection profile in order to authenticate the users with Azure AD and the authentication works fine, but the Realm for the logged-in user is set as "Discovered Identities" and not matched to the local AD realm, so it does not match any rule that use identity policy. What am I missing? Thank you in advance for your attention

0 Helpful

Go to solution
nic-m
Level 1
Level 1
In response to nic-m

‎06-26-2023 06:03 AM

Sorry, forgot to tag @Marvin Rhoads 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nic-m

‎06-26-2023 07:41 AM

Are you gathering the same samAccountName for the user and using that as the unambiguous identity throughout?

0 Helpful

Go to solution
nic-m
Level 1
Level 1
In response to Marvin Rhoads

‎06-26-2023 09:24 AM

Hello @Marvin Rhoads and thank you very much for your reply. I think it's exactly here where I'm stuck. Azure AD sends as Unique User Identifier (Name ID) the azure his userprincipalname but I tried to customize it with the user.onpremisessamaaccountname or user.onpremisesuserprincipalname and all I get are weird characters in the username and the realm is still discovered identities.

If you can share any pointer to what customize in the SAML claims in order to get it working it would be great.

Thank you very much again

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nic-m

‎06-27-2023 07:21 AM

@nic-m  I'm not sure about this one.

I suggest you open a TAC case. Please let us know what you find out.

0 Helpful

Go to solution
nic-m
Level 1
Level 1
In response to Marvin Rhoads

‎06-28-2023 09:15 AM

Hi @Marvin Rhoads I was able to solve this. I used a transformation to change the Unique User Identifier value set as user.userprincipalname from the Azure format (that is, for example user@domain.com to the local realm one (for example user@domain.local) as shown below

GENERIC04.png

In this way the user realm is correctly set in the FMC and identity policies work.

I really would like to thank you for your time and for point me in the right direction with your first answer.

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nic-m

‎06-28-2023 09:57 AM

That's really good to know @nic-m . I was thinking about transformations since we do something similar in ISE sometimes but I couldn't see how we could do so in FMC.

Doing it at the Azure end seems to be the trick - good work!

0 Helpful

Go to solution
nic-m
Level 1
Level 1

‎07-13-2023 09:02 AM

@Marvin Rhoads I have to thank you. Your first reply to me, asking about gathering the same samAccountName, pointed me out to the right direction on what it was needed and I had to try to achieve in some way. And I found the way I posted above. Also the TAC confirmed that.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card