https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239600#M39995 <P>Example tag / access role:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE tag.png" style="width: 791px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29428iA5D88F057690AFB2/image-size/large?v=v2&amp;px=999" role="button" title="ISE tag.png" alt="ISE tag.png" /></span></P> Sat, 25 Jan 2025 00:32:55 GMT Chris_Atkinson 2025-01-25T00:32:55Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239572#M39991 <P>Hello!&nbsp;</P><P>&nbsp;</P><P>I have recently started going down the path of testing Identity Collector with Cisco ISE SGTs. We currently have SGTs deployed to one of our sites and wanted to see how the integration works.</P><P>I was able to successfully get ISE connected to identity collector and SGT information from that site is being ingested. How ever when looking at logs for the mappings I noticed that there are only failed logins with Make sure the Account exists in AD description message.</P><P>A little bit about how are authentications are being handled. Are Computers (Desktops &amp; Laptops) with security group computers are authenticating with EAP-TLS with a machine based certificate tied to the GUID of the device.&nbsp;</P><P>Some of our wireless clients that can't use EAP-TLS we use PEAP/MSCHAPv2 with a static username and password defined in ISE and not AD.</P><P>In the provided screenshot you can see both of these scenarios.</P><P>My questions then are.</P><P>I assume the reason why I am getting the make sure the account exists in AD is because the security gateway is doing a LDAP Query? This would be failing due to the Source usernames not being in AD as users (GUIDs are in as computers and the static ISE usernames are not in AD at all).</P><P>Even with the integration in this state am I still able to enforce the SGTs through access groups and roles or do you need a successful login?</P><P>And if you need a successful login how can that be achieved with machine based auth and static usernames in ISE?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SmartConsoleLogs.png" style="width: 849px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29423iEB0C4543A62EFBC3/image-size/large?v=v2&amp;px=999" role="button" title="SmartConsoleLogs.png" alt="SmartConsoleLogs.png" /></span></P><P>Environment:</P><P>Cluster Running R81.20</P><P>Identity Collector</P><P>ISE 3.3</P><P>&nbsp;</P><P>Any input is greatly appreciated!</P> Fri, 24 Jan 2025 17:28:44 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239572#M39991 Austin35 2025-01-24T17:28:44Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239592#M39993 <P>Group information can comes from LDAP, so if the users aren't defined there, those messages seem reasonable.<BR />I believe you can define Identity Tags that match what is in Cisco ISE and those will be associated with the relevant users/machines (the capitalization should be identical to what's in ISE).</P> Fri, 24 Jan 2025 23:26:20 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239592#M39993 PhoneBoy 2025-01-24T23:26:20Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239596#M39994 <P>For context, what patch level are the Involved components, Check Point JHF, Cisco ISE 3.3 (patch 4?) and AD environment version?</P> <P>How are your access roles defined also verify the LDAP account unit credentials and DN.</P> <P>From there we would leverage the following useful commands:</P> <P>pdp idc groups_consolidation enable | disabled</P> <P>pdp conciliation idc_multiple_users enabled | disabled</P> <P>pdp idc groups_update on | off | status</P> <P>Refer also: sk182935, sk165457, sk180392</P> <P>&nbsp;</P> Sat, 25 Jan 2025 00:16:14 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239596#M39994 Chris_Atkinson 2025-01-25T00:16:14Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239600#M39995 <P>Example tag / access role:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE tag.png" style="width: 791px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29428iA5D88F057690AFB2/image-size/large?v=v2&amp;px=999" role="button" title="ISE tag.png" alt="ISE tag.png" /></span></P> Sat, 25 Jan 2025 00:32:55 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239600#M39995 Chris_Atkinson 2025-01-25T00:32:55Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239745#M40012 <P>Cisco ISE 3.3 P4&nbsp;</P><P>R81.20 JHF 65</P><P>&nbsp;</P><P>I looked through those SKs and they are about AD Group membership and that side is working fine. Our SE was able to get me in touch with one of the regional architects and we poked around at our configuration and did some testing.&nbsp;</P><P>Here is what we came up with,&nbsp;</P><P>Current configuration is that we have an identity collector with 1 query pool with both our AD and ISE tied to it.</P><P>AD and LDAP membership are working fine, Our ISE authentications do not have user information as we are doing device auth vs user auth.</P><P>When we ran some tests, we noticed that in the identity collector there are two mappings for the same IP in identity collector logs one being the username tied to the IP from AD, and the other being the GUID of the device authentication in ISE.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-01-27 152655.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29452iC3964D9886795344/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-01-27 152655.png" alt="Screenshot 2025-01-27 152655.png" /></span></P><P>Speculation then being because the AD and the ISE are in the same query pool, identity collector or pdp is unable to correlate the two. From his recommendation we are going to be trying to separate the ISE and AD into two different Identity collector servers to get them out of the same query pool and see if that resolves the issue.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 27 Jan 2025 23:00:20 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/239745#M40012 Austin35 2025-01-27T23:00:20Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/247787#M41403 <P>Hey!<BR /><BR />I'm facing a very similar situation ... Have you been able to solve it?</P> Wed, 30 Apr 2025 12:30:58 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/247787#M41403 SteveMad 2025-04-30T12:30:58Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/248623#M41566 <P>For awareness there is a new IDC version available to support Cisco ISE 3.4 and other enhancements.</P> Mon, 12 May 2025 10:47:22 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-amp-Cisco-ISE-Failed-Logins/m-p/248623#M41566 Chris_Atkinson 2025-05-12T10:47:22Z