Hello!
I have recently started going down the path of testing Identity Collector with Cisco ISE SGTs. We currently have SGTs deployed to one of our sites and wanted to see how the integration works.
I was able to successfully get ISE connected to identity collector and SGT information from that site is being ingested. How ever when looking at logs for the mappings I noticed that there are only failed logins with Make sure the Account exists in AD description message.
A little bit about how are authentications are being handled. Are Computers (Desktops & Laptops) with security group computers are authenticating with EAP-TLS with a machine based certificate tied to the GUID of the device.
Some of our wireless clients that can't use EAP-TLS we use PEAP/MSCHAPv2 with a static username and password defined in ISE and not AD.
In the provided screenshot you can see both of these scenarios.
My questions then are.
I assume the reason why I am getting the make sure the account exists in AD is because the security gateway is doing a LDAP Query? This would be failing due to the Source usernames not being in AD as users (GUIDs are in as computers and the static ISE usernames are not in AD at all).
Even with the integration in this state am I still able to enforce the SGTs through access groups and roles or do you need a successful login?
And if you need a successful login how can that be achieved with machine based auth and static usernames in ISE?
Environment:
Cluster Running R81.20
Identity Collector
ISE 3.3
Any input is greatly appreciated!
Cisco ISE 3.3 P4
R81.20 JHF 65
I looked through those SKs and they are about AD Group membership and that side is working fine. Our SE was able to get me in touch with one of the regional architects and we poked around at our configuration and did some testing.
Here is what we came up with,
Current configuration is that we have an identity collector with 1 query pool with both our AD and ISE tied to it.
AD and LDAP membership are working fine, Our ISE authentications do not have user information as we are doing device auth vs user auth.
When we ran some tests, we noticed that in the identity collector there are two mappings for the same IP in identity collector logs one being the username tied to the IP from AD, and the other being the GUID of the device authentication in ISE.
Speculation then being because the AD and the ISE are in the same query pool, identity collector or pdp is unable to correlate the two. From his recommendation we are going to be trying to separate the ISE and AD into two different Identity collector servers to get them out of the same query pool and see if that resolves the issue.
| User | Count |
|---|---|
| 19 | |
| 10 | |
| 9 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
Thu 30 Jan 2025 @ 02:00 PM (EST)
AMERICAS - Enhance Your Azure Environment with Check Point Industry-Leading Threat PreventionThu 13 Feb 2025 @ 03:00 AM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - APACThu 13 Feb 2025 @ 03:00 PM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - EMEAThu 13 Feb 2025 @ 02:00 PM (EST)
Navigating the Cyber Frontier: A Check Point Executive Briefing - AmericasFri 14 Feb 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 33: CPX 2025 terugblik!Tue 18 Feb 2025 @ 03:00 PM (CET)
Why Adding SASE to Your Network Infrastructure is a Win-Win - EMEAThu 30 Jan 2025 @ 02:00 PM (EST)
AMERICAS - Enhance Your Azure Environment with Check Point Industry-Leading Threat PreventionThu 13 Feb 2025 @ 03:00 AM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - APACThu 13 Feb 2025 @ 03:00 PM (CET)
Navigating the Cyber Frontier: A Check Point Executive Briefing - EMEAThu 13 Feb 2025 @ 02:00 PM (EST)
Navigating the Cyber Frontier: A Check Point Executive Briefing - AmericasFri 14 Feb 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 33: CPX 2025 terugblik!Tue 18 Feb 2025 @ 03:00 PM (CET)
Why Adding SASE to Your Network Infrastructure is a Win-Win - EMEA
