View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0222 - ISE 2.0 pxGrid with ASA Firepower (Part 3)

SEC0222 - ISE 2.0 pxGrid with ASA Firepower (Part 3)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video shows a functional integration of ASA Firepower with ISE 2.0 pxGrid service. We will have the Firepower join pxGrid using certificate-based authentication and subscribe for user contextual information. We will create and test Firepower access policies to restrict user traffic based on their AD group membership and assigned Security Group Tag. 
 
Part 3 of this video covers policy testing on wired and wireless devices
 
Topic:
  • pxGrid Certificate Generation (ISE and Firepower)
  • ISE pxGrid Configuration
  • Firepower Identity Policy
  • Firepower Access Control Policy
  • Security Group Tag (SGT)
  • SGT Exchange Protocol (SXP)
Tag: 
ISE
ise 2.0
pxgrid
firepower
ngfw
asa
sgt
sxp
identity

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

6 comments

Submitted by jcarlos_altamirano on Fri, 08/12/2016 - 10:33

I noticed that you changed it authentication from EAP-FAST to PEAP, we are currently using EAP-FAST for better authentication for switching between wired and wireless. So Pxgrid won't be able to map the user-to-IP properly with EAP-FAST? if so, is there a way to work around that without changing authentication method? Thanks!

Submitted by admin on Mon, 08/15/2016 - 06:03

Athentication protocol should not matter. As long as a user successfully authenticate, the identity mapping should be published into pxGrid.

Submitted by jcarlos_altamirano on Mon, 08/15/2016 - 09:42

I think my main problem is switching from a wired connection to wireless with eap-fast/chaining. Problem is I think sourcefire won't be able to map the user to an IP since the identity published to PxGrid is a combination of user,machine. Is that accurate?

Submitted by admin on Mon, 08/22/2016 - 21:18

That's is correct. It seems EAP-Chaining des not seem to play well with pxGrid as ISE publishes both user/computer identity which cause FP to fail the user lookup.

Submitted by Jeferson Figuer... on Wed, 11/21/2018 - 07:55

Good morning Meta

We currently are trying to integrate ISE 2.1 (patch 10) and FMC 6.2.3.5 with pxGrid, but we are EAP-FAST (domain\user,host/machine name) in the anyconnect supplicant, so the Firepower is getting the credentials in a different format that can't handle.

Do you know what can we do to configure right and let the user navigate to internet with authentication through the FMC authenticating against the AD using the ISE?

Stay pending for your answer, thanks a lot.

Submitted by admin on Sun, 11/25/2018 - 20:16

Unfortunately, as far as we know, that is the issue and we are not aware of a workaround as the FMC won't be able to look up username in this incorrect format to authenticate user. We suggest you check with Cisco and see it they may have a solution.