View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0222 - ISE 2.0 pxGrid with ASA Firepower (Part 3)

Rating: 
0
No votes yet
Difficulty Level: 
5
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0222 - Video Download $17.00
Purchase SEC0222 - Video Download $17.00
The video shows a functional integration of ASA Firepower with ISE 2.0 pxGrid service. We will have the Firepower join pxGrid using certificate-based authentication and subscribe for user contextual information. We will create and test Firepower access policies to restrict user traffic based on their AD group membership and assigned Security Group Tag. 
 
Part 3 of this video covers policy testing on wired and wireless devices
 
Topic:
  • pxGrid Certificate Generation (ISE and Firepower)
  • ISE pxGrid Configuration
  • Firepower Identity Policy
  • Firepower Access Control Policy
  • Security Group Tag (SGT)
  • SGT Exchange Protocol (SXP)

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

4 comments

I noticed that you changed it authentication from EAP-FAST to PEAP, we are currently using EAP-FAST for better authentication for switching between wired and wireless. So Pxgrid won't be able to map the user-to-IP properly with EAP-FAST? if so, is there a way to work around that without changing authentication method? Thanks!

Athentication protocol should not matter. As long as a user successfully authenticate, the identity mapping should be published into pxGrid.

I think my main problem is switching from a wired connection to wireless with eap-fast/chaining. Problem is I think sourcefire won't be able to map the user to an IP since the identity published to PxGrid is a combination of user,machine. Is that accurate?

That's is correct. It seems EAP-Chaining des not seem to play well with pxGrid as ISE publishes both user/computer identity which cause FP to fail the user lookup.

Lab Minutes Classifieds

Poll

Vote for the Next Video Series