Solved: Realms and Identity Sources

Chess Norris · ‎10-24-2023

Hello,

In order to be able to see usernames in the FMC connection event log, would it be enough to add our AD server as a realm and create an identity policy or do we also need to configure an identiy source (like Cisco ISE) for this to work?

Thanks

/Chess

Rob Ingram · ‎10-24-2023

@Chess Norris If you are using the FTD for Remote Access VPN then the users will be learnt passively (you don't need to specify an ID source). However if you want the usernames for wired/wireless authenticated users to be learnt by the FMC/FTD, then you need to send the IP/Username bindings to the FMC via pxgrid.

View solution in original post

Rob Ingram · ‎10-24-2023

@Chess Norris If you are using the FTD for Remote Access VPN then the users will be learnt passively (you don't need to specify an ID source). However if you want the usernames for wired/wireless authenticated users to be learnt by the FMC/FTD, then you need to send the IP/Username bindings to the FMC via pxgrid.

Chess Norris · ‎10-24-2023

Thank you for the confirmation.

/Chess

Marvin Rhoads · ‎10-24-2023

Adding to what @Rob Ingram correctly noted:

Realm integration tells FMC these are the AD groups and their members for your configured realm.

The ISE identity source maps IP addresses to users. ISE obtains that information via either Active (802.1x) or passive (via PassiveID feature which reads from your DCs' event logs) authentication.

Chess Norris · ‎10-24-2023

Thanks Marvin!