Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
2
Helpful
5
Replies

ISE Guest usernames in FMC Connection Events.

wgomez
Level 1
Level 1

‎11-17-2023 05:24 PM

Hello,

Similar to the discussion linked below. Id like to see the username of an ISE guest user on the source user in each connection event in our FMC.  Similar to how it shows with our AD users (those are being IP mapped via the ISE identity source and the realm setup + the IdPolicy. I believe since (most) ISE guest use cases don't use any AD piece there is no realm that we can associate it to in the FMC identity policy. Is there any way around this or a new way of setting it up?

 

https://community.cisco.com/t5/network-access-control/does-ise-pic-via-pxgrid-provide-passive-identity-information-for/td-p/3781002

0 Helpful
5 Replies 5

Arne Bier
VIP
VIP

‎11-20-2023 12:42 PM

Are you looking for a way of getting access to the internal list of IP addresses and their associated ISE Guest usernames, so that the FMC can map an IP source address to a name label for display purposes?

I wonder if FMC has such an integration, because it sounds kind of special to me. Perhaps via pxGrid, or REST API. Since a guest user is authenticated via a successful MAB authentication, the ISE RADIUS LiveLogs will display the username of the guest (instead of the MAC address, as was the case in older ISE versions). 

0 Helpful

wgomez
Level 1
Level 1

‎11-22-2023 09:12 AM

Hi Arne, Thanks for your reply. 

Currently, I have ISE sharing Guest context (username and IP address) via pxgrid to our FMC and we are able to get the guest username tied to an IP address when we search for host information on FMC. Our issue is that we do not see the username under unified events > connection events. I have added a screen capture of both. 

I realize now this is more of an FMC question... can I move this to that section of the site? I had a conversation with a Firepower TAC engineer and they said that connection events come from the Access Control Policy and within the policy you tie it to an Identity Policy which needs to have a realm. Since realms are AD-based, we cannot configure the ISE identities as a realm for the ACP to use. 

Our AD corporate users do appear in the connection events. We just want the guest usernames to appear in the connection events in FMC since these systems "talk" to each other. I like to think one day "single pane" (less panes) of glass will come true  

Preview file
25 KB
Preview file
15 KB
0 Helpful

Arne Bier
VIP
VIP

‎11-22-2023 02:40 PM

Interesting. I think it might be better to move the chat to the "FMC Community" forum - perhaps this requires feature development on FMC or pxGrid side - hard to tell. 

wgomez
Level 1
Level 1

‎12-18-2023 11:01 AM

Thanks, Arne. That's what I will be doing.

Btw long time fan, your posts have helped me numerous times. Thanks again.

TODavies
Level 1
Level 1

‎05-01-2024 07:16 AM

Did you ever get a solution for this? Is there a way of setting up a FMC realm to link back to ISE internal/guest identities?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card