Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2933
Views
5
Helpful
4
Replies

FTD/FMC PxGrid integration with ISE

donald.heslop1
Level 1
Level 1

‎04-12-2020 07:00 AM

Community,

 

Has anyone been able to get PxGrid to work with FMC/FTD because I am running into an issue with it in my POC lab:

 

ISE version 2.6 (using Internal CA for PxGrid)

FMC version 6.6.0

FTD version 6.6.0

Windows 2016 AD (Enterprise CA)

 

To simplify the configuration I used ISE internal CA for pxgrid and generated the cert for the FMC (per Cisco guide documentation). I also configured the AD realm and download the Users/Groups from AD. Both test came back successfully.

 

I can see the AD Users/Groups and the SGT from ISE when I create rules in my ACP.

 

Here's where the problem comes in. I go to Anaylsis-Users and nothing is in there and none of my rules that are using AD user or groups are working. Rules that use SGTs are not working as well.

 

I created an identity policy (passive authentication since I'm using ISE), attached it to the ACP, and deployed it to the FTD. I still don't see any users and the rules won't work.

 

I'm using EAP-TLS with the native Windows client and I see successful authentication and authorization in ISE but ISE isn't pushing any data to the FMC. I configured my Windows server to audit successful logins as well.

 

So far all the discussion I see is PxGrid with the user agent as the identity source and not ISE which isn't helpful unfortunately. Screenshots are included.

 

Any help would be greatly appreciated.

 

PxGrid.zip
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎04-12-2020 07:18 AM

If you have configured the pxgrid integration between FMC and ISE, then that should ensure the User/IP/SGT bindings are sent from ISE to FMC and the users appear under Anaylsis > Users.


On the FMC run the command cat /var/sf/run/adi-health and confirm everything is "UP"

 

Run the command adi_cli session will display the user sessions sent from ISE to the FMC, logoff and login to force the bindings to be updated, they will appear if they are sent and received by the FMC.

 

FMC 6.6 is rather new, no idea if it's been validated to work with ISE yet....just because it's been released doesn't mean it has been tested. Therefore it might be bug.

donald.heslop1
Level 1
Level 1
In response to Rob Ingram

‎04-12-2020 07:52 AM - edited ‎04-12-2020 08:13 AM

Thanks for the reply. I tried it in 6.5.0 as well and was getting the same issue though. I definitely saw it being pushed to the FMC so it might just be a 6.5.0-6.6.0 thing.PxGrid to FMC.png

0 Helpful

Rob Ingram
VIP
VIP
In response to donald.heslop1

‎04-12-2020 11:45 AM

Ok, I've definately got it working before using FMC v6.5 and ISE 2.6. I don't have access to my lab at present to double check, but the following links may be useful to compare configuration and also they have some useful debug commands.

 

FMC/FTD User Identity

ISE pxgrid integration

 

HTH

0 Helpful

donald.heslop1
Level 1
Level 1
In response to Rob Ingram

‎04-12-2020 12:27 PM

RJI,

I noticed that the FMC isn't put in the EPS,ANC group automatically. Should I manually add it to those group in PxGrid services?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card