cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3799
Views
1
Helpful
8
Replies

Query on passive ID with FMC 6.2 and pxGrid integration to ISE 2.2

tlenzenh
Cisco Employee
Cisco Employee

Hi Team,

I have followed the configuration guide for the pxGrid integration between Firepower Management Centre (using v6.2.0.2) and ISE v2.2 as stated in this doc:

https://communities.cisco.com/docs/DOC-68292

I have also configured ISE for the Passive identity service, using direct AD integration with the automatic WMI configuration as outlined here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01011.html

Besides a few minor issues I had to fix along the way, all appears to be configured as it should and no further errors show up anywhere.

What I am trying to understand is this:

It seems that in FMC I can only see passive authentications under the Analysis/User Activity whenever an enduser logs into the domain with their AD credentials.

I tested the same user PC for 802.1x authentication against another ISE instance (which is also integrated with AD in the backend) and was under the impression that I should see those authentications also in the FMC – but that seems not the case.

Is this normal or am I doing anything wrong here? I have not configured any TrustSec policies at the moment as its used in the integration guide as sample, but I don’t think that’s mandatory for what I am trying to do.

So my question is – should FMC also see passive authentications from any machine that’s doing 802.1x authentication against AD or is it really just showing a user logging into the domain? I’m not sure if I missed to configure anything or if that’s just how it works.

Any advice would be appreciated

Thanks
Thomas

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Thomas,

You're actually talking about two different types of authentications.  802.1X is active authentication.  Users authenticating against AD is passive authentication.  I can't speak to FMC functionality but you should see any authentication ISE (or ISE-PIC for passive) sees in the session directory.  You also should not need to configure TrustSec as that is a separate topic in pxGrid.  I suggest reaching out to the FMC team to validate what topics it subscribes to in pxGrid.

Regards,

-Tim

View solution in original post

8 Replies 8

Timothy Abbott
Cisco Employee
Cisco Employee

Thomas,

You're actually talking about two different types of authentications.  802.1X is active authentication.  Users authenticating against AD is passive authentication.  I can't speak to FMC functionality but you should see any authentication ISE (or ISE-PIC for passive) sees in the session directory.  You also should not need to configure TrustSec as that is a separate topic in pxGrid.  I suggest reaching out to the FMC team to validate what topics it subscribes to in pxGrid.

Regards,

-Tim

tlenzenh
Cisco Employee
Cisco Employee

Hi Tim,

thanks for the reply. Yeah you are correct that from the ISE-PIC instance the authentication is seen as passive auth and reported as such in FMC. I guess what I am not clear about is whether 802.1x based authentications against AD (served by another ISE instance, not the ISE-PIC VM instance) is also seen as passive authentication (by the ISE-PIC instance) or if those types of AD authentications will never show up reported anywhere in ISE-PIC or FMC.

I mean if I have an 802.1x authentication via ISE instance A going against AD, I was under the impression that from ISE-PIC instance's perspective it is still a passive auth because its AD reporting the auth to ISE-PIC.

But from what I have seen in FMC, such authentications never show up. We can only see if a user actually logs into the domain with their PC. So ultimately I just want to understand what AD actually reports to ISE-PIC in both cases - is it just user domain logins or also any other form of AD authentication (i.e. coming from other ISE or radius server instances doing 802.1x)?

Sorry if that was a bit convoluted but I think you get my question.

Thanks

Thomas

Thomas,

I think I get what you are after now.  ISE-PIC is looking for logon events from AD.  These are detected via Kerberos SPAN, WMI monitoring or the PIC agent.  If it finds them, it will create a session in the directory to then be shared over pxGrid.  At one point in my lab, I had a instance of ISE-PIC (2.2) and ISE (2.2).  ISE was doing 802.1X authentications against AD.  I never saw any 802.1X auths against AD show up as passive session in PIC.  There could be a couple reasons for this:

1. The endpoints doing 802.1X were not Windows endpoints

2. The authentication against AD creates a security event in AD that PIC does look for

The best recommendation I can give you is to test it in a lab environment.  Configure PIC to monitor AD using one of the supported probes, then have a windows endpoint participate in 802.1X against that same instance of AD using ISE and see what PIC finds.  Hope that helps.

Regards,

-Tim

Hi Tim,

thanks for the feedback. In fact I did test this exactly that way in my lab (the 802.1x auth endpoint was a windows 7 machine) and those were my findings, hence why posting the question. Sounds like you had the same experience. I don't know enough about this WMI thing and how the internals of AD and ISE-PIC work but at this stage I can only assume thats how it works and ISE-PIC won't report any of the 802.1x based authentications against AD. Whether thats because AD doesn't report it via WMI in the same way as domain logons or because ISE-PIC doesn't report it - I don't know.

By the way - one thing I was wondering - is there a report or log within ISE-PIC where I can get the passive login info as well or is that passed on to pxGrid and I can only get that info in Stealthwatch or FMC?

Cheers

Thomas

There is a report for current active sessions that should give you what you're after.

Regards,

-Tim

Hi Timothy,

I got same question from customers, did you finally get answer?

Thanks

DL

To clarify, you would likely never deploy ISE-PIC and ISE for the same network.  ISE includes ALL of the Passive ID functionality in ISE-PIC plus all of the other AAA features (RADIUS/T+ auth), profiling, guest, posture, etc. based on licenses installed.  ISE-PIC is positioned for customers that are not yet interested in the larger feature sets and just want Passive ID features.

ISE-PIC does not provide active authentication of ANY type (MAB, 1X, CWA, etc).  Therefore, ISE-PIC will only see authentications learned from EXTERNAL auth sources, not from itself.   ISE on the other hand can collect and publish login events over pxGrid for BOTH Passive ID logins (external, passive auth) and RADIUS logins (active auth).

Also, even if ISE authenticates a user against AD, LDAP, SQL, etc, it is still ISE which is controlling the authentication.  This is different from an AD login where the ISE/ISE-PIC server play no part in the auth event itself.

Tim is absolutely correct, but there was confusion on another thread where this post is referenced and I felt this additional clarity was needed.

Cheers, Craig

yongwli
Cisco Employee
Cisco Employee

Thank you.