Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2102
Views
1
Helpful
13
Replies

FTD via FDM

jebankshrcu
Level 1
Level 1

‎03-06-2024 12:06 PM

Hi All,

I have been having a hard time to integrate ISE with my Cisco FTD since most of the articles covers using the FMC. For my FTD device I am using FDM not FMC. What I am trying to accomplish is to block web whatsapps by user usage. I have been able to integrate AD to my FTD but after a debug done with cisco tac they said I need ISE for the mapping of IP to user since the below log is showing the highlighted error.

> 157.240.14.52 443 6 AS=0 ID=1 GR=1-1 no match rule order 1, 'WhatsAppBlocking', user 9999999, realm 0

I have integrated ISE in my environment already but am stuck in the certification part. From what i understand I should enable pxgrid which i have already in ISE and generated the necessary certs for it but now on my FTD device side am only able to upload my CA certificate but am not able to generate my own cert in my FTD device.

 

13 Replies 13

Rob Ingram
VIP
VIP

‎03-06-2024 12:09 PM

@jebankshrcu use openssl from the CLI of the FTD to generate the CSR, as per this guide:-

https://integratingit.wordpress.com/2021/11/06/fdm-pxgrid-integration-with-ise/

 

0 Helpful

jebankshrcu
Level 1
Level 1
In response to Rob Ingram

‎03-06-2024 12:24 PM

Hi Rob:

Forgive my ignorance here. So for ISE to have this information for the IP mapping. I would need to have the end-user devices authenticate from the access switch to ISE via 802.1x which then that info there is what will be used to send to my FTD? Does my end-user devices (meaning laptops, desktop etc) have that connectivity to ISE for this to work?

0 Helpful

Rob Ingram
VIP
VIP
In response to jebankshrcu

‎03-06-2024 12:30 PM

@jebankshrcu yes, the users authenticate via wired or wireless using ISE as the RADIUS server, which then sends the IP/user bindings to the FMC, and in turn sends these bindings to the FTD. If you add an AD realm you can use AD groups (which the users are a memver of) in the FTD ACP rules. https://integratingit.wordpress.com/2021/11/07/fdm-identity-policy-and-ad-realm/

If using 802.1X authentication, its the switches that need to communicate with ISE.

 

0 Helpful

jebankshrcu
Level 1
Level 1
In response to Rob Ingram

‎03-06-2024 12:35 PM

That is what i have done on the FTD device. I have added AD realm and got the AD groups and have tried to match it via my ACL but the log error was the below:

157.240.14.52 443 6 AS=0 ID=1 GR=1-1 no match rule order 1, 'WhatsAppBlocking', user 9999999, realm 0

I will look over the second link you sent me. That on looks like what am trying to do

0 Helpful

Rob Ingram
VIP
VIP
In response to jebankshrcu

‎03-06-2024 12:39 PM

@jebankshrcu from your first post it sounds like you had not configured the certificate on the FMC, so you are unlikely to have an IP/user bindings learnt from ISE until you configure the integration correctly. The first link provided has the commands to use to troubleshoot and determine whether you have these bindings.

0 Helpful

jebankshrcu
Level 1
Level 1
In response to jebankshrcu

‎03-06-2024 12:40 PM

ok So from looking over the links. I need to make sure my access switches are integrated too. I was thinking that just getting AD realm integrated to my FTD via FDM was all i needed since i was able to pull my AD data from the configuration that was done for AD realm

0 Helpful

Rob Ingram
VIP
VIP
In response to jebankshrcu

‎03-06-2024 12:44 PM

@jebankshrcu correct, without those IP/User bindings the FTD is not going to know which user the IP address is associated with. Both those links I provided include enough to get the bindings and AD realm integrated into FDM.

0 Helpful

jebankshrcu
Level 1
Level 1
In response to Rob Ingram

‎03-06-2024 12:50 PM

ok thanks for that clarity. Now I may have some issues then because my access switches are CBS350-48P-4X models and I dont think it fully compatible with cisco ise. It does have some 802.1x functions but not compare to a 3750-x switch model etc.

 

0 Helpful

Rob Ingram
VIP
VIP
In response to jebankshrcu

‎03-06-2024 12:54 PM

@jebankshrcu if the switch supports 802.1X, then it can authenticate against ISE, which can send those bindings to the FMC.

0 Helpful

jebankshrcu
Level 1
Level 1
In response to Rob Ingram

‎03-06-2024 12:59 PM

Hi Rob:

Thanks for the input. Let me try and see what I can do. I'll update you

0 Helpful

MHM Cisco World
VIP
VIP
In response to jebankshrcu

‎03-06-2024 12:30 PM

What i get from your request is you need ACL apply to specific user' so you need way to make FTD recognize the user?

MHM

0 Helpful

jebankshrcu
Level 1
Level 1
In response to MHM Cisco World

‎03-06-2024 12:32 PM

That is correct

0 Helpful

MHM Cisco World
VIP
VIP
In response to jebankshrcu

‎03-06-2024 12:38 PM - edited ‎03-06-2024 01:25 PM

check active auth by ftd for identity 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217231-configure-fdm-active-authentication-cap.html

Check this 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card