ISE to FMC Identity Mapping Problem

caustin · ‎11-02-2023

Hello,

Lately my company is having some issues with some users that have a common problem.

The problem is that the FMC is seeing identities as the wrong users, users who aren't actually logged onto the computers (Windows 10). ISE logs show the correct users log on and off of the computers without issue. The information there is accurate. However, no matter who logs onto the computer, I can check the FMC and it will have a different identity. The IP addresses will be the same though.

I've had this reported to me 5 times now with different people and computers. I think it's going on more than this but the only reason people are noticing is because the people reporting the issue are getting the access of identities with heavily restricted access based on policies and firewall rules. If it's happening to other with equal access then they wouldn't notice the difference.

It seems like something in between ISE and the firewall is the broken link here but I'm not sure what.
Any advice on where to look first?

I have tried clearing settings on the computers and clearing access sessions on the specific switch interfaces but it has made no difference.

Versions running are:

ISE - 3.1.0.518

FMC - 7.0.4

Herald Sison · ‎11-02-2023

have you generated pxgrid client CA? MNT Server CA? and pxgrid server CA? Have you checked your Realms settings? Are you using AD or LDAP for realm type? did you create an identity policy and assigned it?

Marvin Rhoads · ‎11-03-2023

Check your ISE integration under FMC > Integrations > Identity source. A Test button there validates the FMC-ISE pxGrid link is working. If it tests OK there, we can go deeper into the logs at the cli level.