Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1789
Views
15
Helpful
6
Replies

Eap-chaining and PXgrid

tuenoerg
Cisco Employee
Cisco Employee

‎11-27-2016 11:21 PM

x-posted to internal cs-firepower mailling list.

Hi all,

I have the following problem :

User are normally represented with domain\username which can be used for group lookup in AD/LDAP by FMC by the username = "username".

But with eap-chaining - it will look like : domain\username/PCname, which can not be used in LDAP/AD lookup inside FMC, since username will be : username, host/PCname.

Can I in any way strip information before it "leaves" ISE info PXGRID ?

best regards

Tue

6 Replies 6

Timothy Abbott
Cisco Employee
Cisco Employee

‎12-01-2016 07:09 AM

Hi,

No, I don't think this is possible today.  Including jeppich to comment further.

Regards,

-Tim

0 Helpful

jeppich
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎12-01-2016 08:29 AM

Hey Tim, Tue,

So for EAP Chaining the username and machine syntax such as domain\username, username@domain is dependent on the protected identity pattern. You can use AnyConnect NAM to test around with this,  With Firepower it is possible to get username, domain/name.

This is not a pxGrid issue. Which version of Firepower are you using?

Thanks,

John

jeppich@cisco.com

0 Helpful

tuenoerg
Cisco Employee
Cisco Employee
In response to jeppich

‎12-02-2016 08:05 AM

Hi John,

I´m not sure I fully understand what you mean.

Firepower version 6.1 is being used.

In FMC is looks like this now :

imageFMC.png

Then the identiy does not match and then rules does not apply.

Best regards

Tue

0 Helpful

tuenoerg
Cisco Employee
Cisco Employee
In response to tuenoerg

‎12-06-2016 12:52 AM

Hi

This is how it looks inside FMC :

image002.png

So the identity received from ISE is not able to be matched ..

How do I make sure I can use the identity in my FMC policies ?

I have attached a pdf file showing the live log form ISE.

Best regards

Tue

0 Helpful

jeppich
Cisco Employee
Cisco Employee
In response to tuenoerg

‎12-07-2016 07:03 PM

Hey Tue,

What do you see under the FMC User Activity Screen? Are you seeing the same? What version of FMC are you using

You can try creating an Access policy based on user. Or better yet, assign an ISE authorization SGT policy of employee to the successfully authenticated user.  You can then assign the access policy based on the Employee SGT.

Send me an email, and we can schedule a webex.

Thanks,
John

(jeppich@cisco.com

0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to jeppich

‎09-24-2021 10:58 AM

Hi Guys

topic is quite aged but what did u finish with (it looks quite similar to deployment we plan in our customer)?

tnx in adv

Customers Also Viewed These Support Documents