I have a customer that has a Firepower Deployment and we have integrated into ISE using PXGrid. We have also created an AD Realm and integrated this via LDAP.
VPN authentication is making use of a Certificate and when a user logs on or off we can see the User Activity in the FMC under the User Activity but this is mapped to Discovered Identity instead of the AD Realm. We have tried multiple options in the certificate to try and match it against the AD Realm but this doesn't work. If we change the VPN Authentication type to AAA-only or AAA & Certificate then the user is correctly mapped to the AD Realm. The client does not want to make this change on the VPN as he does not want the users to have to enter credentials when accessing the VPN.
This is impacting the Passive Identity Policy assigned to the Access-Control Policy. We are able to select the relevant AD Group in the rules that are required to have this set but the users never match the rule because of the Discovered Identity match
@Steven van Jaarsveld I haven't had this exact requirement before....how about still using certificate authentication but send authorisation only to ISE? This would send the username extracted from the certificate, ISE would perform an AD lookup of the username and authorise the user. This would create a session in ISE, which is forwarded to the FMC/FTD.