Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
10
Helpful
4
Replies

Issue with Remote VPN User Identity when using user agent and migration advice to ISE-PIC

Jack G
Level 1
Level 1

‎01-28-2020 06:12 AM

Every since I upgraded FMC from 6.2.2 to 6.4, VPN users show as unknow user. I have a case open with TAC with no resolution yet. Any thoughts? I think it's occurring with multiple clients for I just tested another one. Also, any recommendation for a migration path from user agent to ISE-PIC? I don't have much experience with ISE and not sure if this is the best migration. Also is there a cost for ISE-PIC license? Any confirmed versions release which the user agent till not be support anymore? 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎01-28-2020 10:31 AM

Hi,

Do you have an Identity Policy setup and applied to the FTD? I am running 6.5 on the FMC and 6.4.0.5 on the FTD, in my user activity sessions the VPN users are correctly identified.

 

I've no experience of ISE-PIC, but I do with ISE - it's the same principle. Use this guide as a reference to setup ISE and FMC integration. I think the ISE-PIC license is meant to be very cheap, approx a couple of thousand $.

 

I don't believe the agent is EOL yet, I think ISE/ISE-PIC is the desired solution going forward. I would plan to move to ISE-PIC sooner rather than later.

 

HTH

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-28-2020 03:32 PM

Yes, User Agent support will be discontinued.

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/control_users_with_the_user_agent.html#id_113168

I believe that will be as of FMC 6.6.

ISE or ISE-PIC is the recommended replacement. For existing customers I believe Cisco will be offering ISE-PIC for very low price (possibly no cost).

There's not really a "migration" path as ISE-PIC is a completely separate and distinct product. It's not terribly complex to setup though.

Jack G
Level 1
Level 1
In response to Marvin Rhoads

‎01-29-2020 12:23 PM

Thank you, I often see pxGrid.  Is pxGrid a separate product which can integrate with ISE-PIC and ISE? pxGrid appears to be a product for sharing data, but shouldn't be required for just Firepower passive identity purposes, correct?

0 Helpful

Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to Jack G

‎01-30-2020 03:59 AM

Hi,

 

Pxgrid is a service that can be enable on ise-pic itself or on ISE PSN nodes. The px-grid is a feature use to share contextual information with third party and Cisco applications like FMC, stealthwatch.

 

When ise-px grid use with Cisco consumer like FMC or stealthwatch, it requires ISE base license only but if use PX-grid with third party then AC Plus licenses will be required.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card