Re: Discovered Identities in FMC

Steven van Jaarsveld · ‎09-08-2022

Hello Experts

I have a customer that has a Firepower Deployment and we have integrated into ISE using PXGrid. We have also created an AD Realm and integrated this via LDAP.

VPN authentication is making use of a Certificate and when a user logs on or off we can see the User Activity in the FMC under the User Activity but this is mapped to Discovered Identity instead of the AD Realm. We have tried multiple options in the certificate to try and match it against the AD Realm but this doesn't work. If we change the VPN Authentication type to AAA-only or AAA & Certificate then the user is correctly mapped to the AD Realm. The client does not want to make this change on the VPN as he does not want the users to have to enter credentials when accessing the VPN.

This is impacting the Passive Identity Policy assigned to the Access-Control Policy. We are able to select the relevant AD Group in the rules that are required to have this set but the users never match the rule because of the Discovered Identity match

Anyone have any ideas how to resolve this?

Rob Ingram · ‎09-08-2022

@Steven van Jaarsveld I haven't had this exact requirement before....how about still using certificate authentication but send authorisation only to ISE? This would send the username extracted from the certificate, ISE would perform an AD lookup of the username and authorise the user. This would create a session in ISE, which is forwarded to the FMC/FTD.

alirafaleiro · ‎09-08-2022

The Cisco Secure Firewall Management Center (FMC) is your administrative nerve center for managing critical Cisco network security solutions.

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

NA-School · ‎11-20-2023

Did you ever find a resolution to this?