You are here
SEC0222 - ISE 2.0 pxGrid with ASA Firepower (Part 3)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video shows a functional integration of ASA Firepower with ISE 2.0 pxGrid service. We will have the Firepower join pxGrid using certificate-based authentication and subscribe for user contextual information. We will create and test Firepower access policies to restrict user traffic based on their AD group membership and assigned Security Group Tag.
Part 3 of this video covers policy testing on wired and wireless devices
Topic:
- pxGrid Certificate Generation (ISE and Firepower)
- ISE pxGrid Configuration
- Firepower Identity Policy
- Firepower Access Control Policy
- Security Group Tag (SGT)
- SGT Exchange Protocol (SXP)
6 comments
Identity mapping for EAP-FAST
I noticed that you changed it authentication from EAP-FAST to PEAP, we are currently using EAP-FAST for better authentication for switching between wired and wireless. So Pxgrid won't be able to map the user-to-IP properly with EAP-FAST? if so, is there a way to work around that without changing authentication method? Thanks!
Identity mapping for EAP-FAST
Athentication protocol should not matter. As long as a user successfully authenticate, the identity mapping should be published into pxGrid.
I think my main problem is
I think my main problem is switching from a wired connection to wireless with eap-fast/chaining. Problem is I think sourcefire won't be able to map the user to an IP since the identity published to PxGrid is a combination of user,machine. Is that accurate?
Identity mapping for EAP-FAST
That's is correct. It seems EAP-Chaining des not seem to play well with pxGrid as ISE publishes both user/computer identity which cause FP to fail the user lookup.
Integrating ISE with FMC
Good morning Meta
We currently are trying to integrate ISE 2.1 (patch 10) and FMC 6.2.3.5 with pxGrid, but we are EAP-FAST (domain\user,host/machine name) in the anyconnect supplicant, so the Firepower is getting the credentials in a different format that can't handle.
Do you know what can we do to configure right and let the user navigate to internet with authentication through the FMC authenticating against the AD using the ISE?
Stay pending for your answer, thanks a lot.
Integrating ISE with FMC
Unfortunately, as far as we know, that is the issue and we are not aware of a workaround as the FMC won't be able to look up username in this incorrect format to authenticate user. We suggest you check with Cisco and see it they may have a solution.