yes, thanks for your quick reply. We do have a ftd with fmc. And also are planning for the ISE. But, I'm intresting for how the switch and wireless controller provide the latest user-ip mapping to ISE? Which config or technology will use? especially when user manually change the IP, how could the ISE find the change right after the change? 

@chengl031 the client devices are configured with 802.1X, the username is sent to the ISE to authenticate. As part of that process the IP device tracking feature configured on the switches sends the IP/MAC mapping to ISE in the RADIUS accounting packet. Thus ISE has the IP/User mapping, which is sent to the Firewall via the FMC.

Is there a interval between switch send accounting packet to ISE? will it a time gap when user change their IP after authenticate? Like a TOCTOU attack, the user already changed to a new ip but FTD still hold a old version of mapping.

And also if some user change their ip and duplicate with other, what action will the switch and ISE take? Like a spoof ip attack

@chengl031

If the IP address was changed on the device, reauthentication will occur and ISE will know of the IP address as part of that process. ISE will send that updated information to the FMC straight away.

Regardless, if they did change their IP address they could only change to an IP address in the same VLAN they are connected to, else they will not be able to route over the network.

If you authenticate the users that implies the user is trusted. If you manage the computers they are connecting from, then restrict the ability to assign a static IP address.

Dynamic ARP inspection (which relies on DHCP snooping) could be used to ensure the user has a valid IP/MAC binding on the switch, via DHCP. If the user were able to assign a static IP address, there would be no binding and thus connection dropped.

Really? I think in the default configuration the lan authentication only on layer 2, i tried to change ip in a wireless with wpa2-enterprise authentication method and success. Please tell me if i miss something or this behaviour need to an additional config.

i want to try figure out in network scope first, if not then i'll think about some solution by agent or tools on client. A very important requirement is traffic audit. so vlan scope is too large and cannot relate to a single user. And also you know FTD is a NGFW, we also want to use some layer 7 access control policy, such as define a rules based on AD user group. these also need a user-ip mapping.

thanks, you mean I need direct control to the client OS? such as do not give user a local admin privilege in windows to prevent the unexpected ip change? No good way to deal this in network scope?

I used to work in a company and they use this solution I mentioned and the control they have over the machine was extremelly high. To the point that they could know about any network change on the machine. It is not about user privilege but monitoring and control.

 Check the tool out and you can see. But, they also have ISE with NAC and everything,  of course.

thanks again, i'll take a look for that solution