Re: ISE Passive Identity with FMC

georgehewittuk1 · ‎05-27-2021

Hi Guys,

I just want to double confirm my understanding for this feature ISE acts as a pxGrid Controller and FMC subscribes to the controller to receive session data. Note: we have a normal install of ISE not ISE PIC... (Not actually used or installed that before looks like a different install altogether.)

To use pxGrid we need to have plus licensing per user?

(https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_man_license.html#id_24976)

We are also going to need all users wired/wireless/vpn that are using passive identity/user based rules on the FW to avoid issues.

Thanks

Rob Ingram · ‎05-27-2021

@georgehewittuk1

Yes, you'll need plus licensing (in addition to base) to use pxgrid services. Once settings up the pxgrid connection will send ip/user (and sgt if using trustsec) mappings to the FMC, which in turn will send on to the FTDs.

Oliver Kaiser · ‎05-30-2021

I think the licensing statement is incorrect. If you have a Base License you are allowed to run pxGRID for Cisco Subscribers only

To quote the configuration guide:

License Package: Base

Passive identity services available as part of the upgrade from ISE-PIC to a Base license include limited pxGrid features available to Cisco subscribers only.

Marvin Rhoads · ‎05-30-2021

I believe the "limited pxGrid features" alludes to the fact that you get only user-IP mapping for Cisco subscribers such as FMC.Not the full context data that ISE can potentially share via the higher license tiers ("Plus" under ISE 2.x or "Advantage" under 3.x smart licenses).

Basically it's the same as what you get from ISE-PIC (which is just a stripped down ISE deployment that only collects that basic data).