View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0222 - ISE 2.0 pxGrid with ASA Firepower (Part 3)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0222 - Video Download $17.00
Purchase SEC0222 - Video Download $17.00
The video shows a functional integration of ASA Firepower with ISE 2.0 pxGrid service. We will have the Firepower join pxGrid using certificate-based authentication and subscribe for user contextual information. We will create and test Firepower access policies to restrict user traffic based on their AD group membership and assigned Security Group Tag. 
Part 3 of this video covers policy testing on wired and wireless devices
  • pxGrid Certificate Generation (ISE and Firepower)
  • ISE pxGrid Configuration
  • Firepower Identity Policy
  • Firepower Access Control Policy
  • Security Group Tag (SGT)
  • SGT Exchange Protocol (SXP)

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


I noticed that you changed it authentication from EAP-FAST to PEAP, we are currently using EAP-FAST for better authentication for switching between wired and wireless. So Pxgrid won't be able to map the user-to-IP properly with EAP-FAST? if so, is there a way to work around that without changing authentication method? Thanks!

Athentication protocol should not matter. As long as a user successfully authenticate, the identity mapping should be published into pxGrid.

I think my main problem is switching from a wired connection to wireless with eap-fast/chaining. Problem is I think sourcefire won't be able to map the user to an IP since the identity published to PxGrid is a combination of user,machine. Is that accurate?

That's is correct. It seems EAP-Chaining des not seem to play well with pxGrid as ISE publishes both user/computer identity which cause FP to fail the user lookup.

Good morning Meta

We currently are trying to integrate ISE 2.1 (patch 10) and FMC with pxGrid, but we are EAP-FAST (domain\user,host/machine name) in the anyconnect supplicant, so the Firepower is getting the credentials in a different format that can't handle.

Do you know what can we do to configure right and let the user navigate to internet with authentication through the FMC authenticating against the AD using the ISE?

Stay pending for your answer, thanks a lot.

Unfortunately, as far as we know, that is the issue and we are not aware of a workaround as the FMC won't be able to look up username in this incorrect format to authenticate user. We suggest you check with Cisco and see it they may have a solution.

Lab Minutes Classifieds


Vote for the Next Video Series
Firepower 6.6
DNAC 2.1
ISE 3.0
ACI 4.x
Total votes: 44