cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

337
Views
10
Helpful
4
Replies
Highlighted
Beginner

Issue with Remote VPN User Identity when using user agent and migration advice to ISE-PIC

Every since I upgraded FMC from 6.2.2 to 6.4, VPN users show as unknow user. I have a case open with TAC with no resolution yet. Any thoughts? I think it's occurring with multiple clients for I just tested another one. Also, any recommendation for a migration path from user agent to ISE-PIC? I don't have much experience with ISE and not sure if this is the best migration. Also is there a cost for ISE-PIC license? Any confirmed versions release which the user agent till not be support anymore? 

Everyone's tags (1)
4 REPLIES 4
Highlighted
VIP Advisor

Re: Issue with Remote VPN User Identity when using user agent and migration advice to ISE-PIC

Hi,

Do you have an Identity Policy setup and applied to the FTD? I am running 6.5 on the FMC and 6.4.0.5 on the FTD, in my user activity sessions the VPN users are correctly identified.

 

I've no experience of ISE-PIC, but I do with ISE - it's the same principle. Use this guide as a reference to setup ISE and FMC integration. I think the ISE-PIC license is meant to be very cheap, approx a couple of thousand $.

 

I don't believe the agent is EOL yet, I think ISE/ISE-PIC is the desired solution going forward. I would plan to move to ISE-PIC sooner rather than later.

 

HTH

Highlighted
Hall of Fame Guru

Re: Issue with Remote VPN User Identity when using user agent and migration advice to ISE-PIC

Yes, User Agent support will be discontinued.

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/control_users_with_the_user_agent.html#id_113168

I believe that will be as of FMC 6.6.

ISE or ISE-PIC is the recommended replacement. For existing customers I believe Cisco will be offering ISE-PIC for very low price (possibly no cost).

There's not really a "migration" path as ISE-PIC is a completely separate and distinct product. It's not terribly complex to setup though.

Highlighted
Beginner

Re: Issue with Remote VPN User Identity when using user agent and migration advice to ISE-PIC

Thank you, I often see pxGrid.  Is pxGrid a separate product which can integrate with ISE-PIC and ISE? pxGrid appears to be a product for sharing data, but shouldn't be required for just Firepower passive identity purposes, correct?

Highlighted

Re: Issue with Remote VPN User Identity when using user agent and migration advice to ISE-PIC

Hi,

 

Pxgrid is a service that can be enable on ise-pic itself or on ISE PSN nodes. The px-grid is a feature use to share contextual information with third party and Cisco applications like FMC, stealthwatch.

 

When ise-px grid use with Cisco consumer like FMC or stealthwatch, it requires ISE base license only but if use PX-grid with third party then AC Plus licenses will be required.