Hello

I aim to implement FMC by utilising:

1) Active Directory for creating Access Control rules based on AD Groups

2) ISE as an Identity source

I intend user's login ID should be visible in the all logs, also I do not want to use User agent as an Identity Source, I want to use ISE.

So far I configured the following:

1) Successfully added AD as a realm, and able to download Users and Groups

2) Added ISE as Identity Source, added pxGrid Server CA, MNT Server CA and FMC Server Certificates, "Test" works successfully.

I created an access policy

Rule 1:

Source Zone / Source Destination : Any / Any

Under 'Users' tab, I select an AD group who I want to restrict access and select appropriate 'Applications' and 'URLs'.

Then I have some generic Allow / Deny rules.

Problem:

1) This doesn't work. The Rule 1 is never processed, and "Default Action (Balanced Security and Connectivity)" is invoked.

2) I don't see user name in the event log either.

3) In AD Realms, though I am able to download users and groups, 'Test AD Join' says 'Test AD join Failed', could this be reason of entire failure?

4) Do I have to configure anything on ISE? I configured the following authorisation rule but I see no hits, I am not an expert on ISE and may have got this completely wrong.

I admit I may not have done everything required for this setup, and I seek help for same.

Thank you very much in advance.