cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1804
Views
0
Helpful
4
Replies

USER-IP mapping FTD

hsangral
Cisco Employee
Cisco Employee

Hello,

 

I understand that in order to Integrate FTD with ISE we need to perform PXgrid integration and add Active directory as a realm, which works well.

 

What about the users performing Dot 1x authentication using ISE local Database, How does FTD fetch that information. 

 

 

1 Accepted Solution

Accepted Solutions

If you just want IP/User mappings in connections events, then I see no reason why that should not work. However if you want to use the Username/Group information in the ACP for enforcement then you'd need to learn the group mappings from the AD Realm, which is not possible if the user is in the ISE Local database.

HTH

View solution in original post

4 Replies 4

Hi,
The pxgrid integration between ISE and FTD would send all IP/User bindings to the FTD. However if the user is defined only in the ISE database, the AD realm defined on the FTD will not be able to query the group membership for those users.

You could define rules on the FTD using SGTs (rather than query for group membership) that were assigned to those ISE local users or use AD to authenticate users.

HTH


Thanks,

 

The SGT approach would not be applicable to a non sda environment.

If the FTD is not using AD groups in the policies it would still fetch the Information ( user-ip mapping) and the ISE local username can be seen in the connection events ? In this case creation of realms would not be necessary. Correct me if i am wrong.

If you just want IP/User mappings in connections events, then I see no reason why that should not work. However if you want to use the Username/Group information in the ACP for enforcement then you'd need to learn the group mappings from the AD Realm, which is not possible if the user is in the ISE Local database.

HTH

Thanks

Review Cisco Networking for a $25 gift card