Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
3
Helpful
5
Replies

inconsistent user ID to IP mapping with ISE-PIC and FirePower

Go to solution
tato386
Level 6
Level 6

‎11-19-2024 08:43 AM

I have a ISE-PIC that is configured to poll 8 Windows DCs using WMI (agentless).  There are no obvious errors in the logs and live sessions screen appear to have the correct and up to date user/IP mappings for my users.  However, when I check the connectivity log on the FMC I see "user not found" for IPs that have clearly been identified and have active sessions on ISE.  This does not happen to all users since the FMC does show correct user ID for some IPs.  It seems to be random and I cannot figure out why some users are correctly mapped and not others.  In the screen shots attached you can see this behavior with .69 and .73 both showing users in ISE live session but the FMC shows the user only for .73.    Any ideas?

Thanks,

Preview file
30 KB
Preview file
273 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tato386
Level 6
Level 6

‎02-01-2025 10:59 AM

Update on this issue:  We noticed that the user sessions that were not showing on the FMC had both WMI *and* endpoint as the provider in the ISE-PIC live session screen.  Users that showed correctly on the FMC were showing only WMI.    We disabled endpoint probes in the ISE-PIC config and rebooted both ISE-PIC and FMC but still sessions would show "endpoint" in the live session and not show in FMC.  I then opened a ticket with TAC who had me clear the user sessions that showed endpoint provider.  After having their sessions cleared the users would login again and not show endpoint anymore.   From that point forward no more sessions show with "endpoint" and all users show in FMC as expected.   

View solution in original post

5 Replies 5

Go to solution
ahollifield
VIP
VIP

‎11-19-2024 11:19 AM

Why use ISE-PIC at all?  Why not the native agent in FMC 7.6?  Or active authentication?

Go to solution
tato386
Level 6
Level 6
In response to ahollifield

‎11-19-2024 12:19 PM

ISE-PIC seems like a good fit because: 

1) we are on v7.4 and like to stay on gold star versions

2) we have some older DCs which might have compatibility issues with newer agent software

3) active auth seems harder to setup (I believe we would need RADIUS and/or NPS?)

4) management is not too keen on adding extra steps to get on Internet (might seems trivial but regardless it's an issue)

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to tato386

‎11-19-2024 12:36 PM

  1. I understand but 7.6 would eliminate an entire product with necessary patching, integrations, upgrades, etc. 
  2. How old exactly?  If you are running unsupported EOL Windows Server versions, IMHO passive ID is fixing the wrong problem.
  3. It is.  But it will ALWAYS be more accurate than passive ID.  For example a user migrating from wired to wireless without performing an AD authentication would not be captured by passive ID.
  4. What is your strategy for 802.1X authentication today?  How are you performing authentication to the network itself?

Go to solution
tato386
Level 6
Level 6
In response to ahollifield

‎11-19-2024 02:22 PM

@ahollifield you make good points but let me advocate for my side a bit.  At this point in time, we appear to have a mostly working solution that meets our current needs.  The current system is working but needs a bit of troubleshooting to get what appears to be a small glitch ironed out.

I acknowledge that the recommendations you give are sound and will provide a more durable and robust outcome, but it also means that we would dump all the time and effort we have put into the existing system and, except for FMC which is an upgrade, we would basically start over with new integration config, software agents, switch configuration, RADIUS/NPS, etc.

In addition to that, most likely is that the new setup will also need some troubleshooting and there is no way to tell if it will need more or less troubleshooting that what we are currently looking at.

The way I see it, at some point in the not too distant future, the FMC and the DCs will be upgraded and at some point we'll implement 802.1x and switch to active authentication but that is still a ways away.

Given the above, is it not unreasonable that we would want to invest a little more time in the current setup than to practically start over?  

 

0 Helpful

Go to solution
tato386
Level 6
Level 6

‎02-01-2025 10:59 AM

Update on this issue:  We noticed that the user sessions that were not showing on the FMC had both WMI *and* endpoint as the provider in the ISE-PIC live session screen.  Users that showed correctly on the FMC were showing only WMI.    We disabled endpoint probes in the ISE-PIC config and rebooted both ISE-PIC and FMC but still sessions would show "endpoint" in the live session and not show in FMC.  I then opened a ticket with TAC who had me clear the user sessions that showed endpoint provider.  After having their sessions cleared the users would login again and not show endpoint anymore.   From that point forward no more sessions show with "endpoint" and all users show in FMC as expected.   

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card