ISE/ISE-PIC Guidelines and Limitations

Use the guidelines discussed in this section when configuring ISE/ISE-PIC.

ISE/ISE-PIC Version and Configuration Compatibility

Your ISE/ISE-PIC version and configuration affects its integration and interaction with the Secure Firewall Management Center, as follows:

  • We strongly recommend you use the latest version of ISE/ISE-PIC to get the latest feature set.

  • Synchronize the time on the ISE/ISE-PIC server and the Secure Firewall Management Center. Otherwise, the system might perform user timeouts at unexpected intervals.

  • To implement user control using ISE or ISE-PIC data, configure and enable a realm for the ISE server assuming the pxGrid persona as described in Create an LDAP Realm or an Active Directory Realm and Realm Directory.

  • Each Secure Firewall Management Center host name that connects to an ISE server must be unique; otherwise, the connection to one of the Secure Firewall Management Centers will be dropped.

  • If you configure ISE/ISE-PIC to monitor a large number of user groups, the system might drop user mappings based on groups due to managed device memory limitations. As a result, rules with realm or user conditions might not perform as expected.

    For any device running version 6.7 or later, you can optionally use the configure identity-subnet-filter command to limit the subnets that the managed device monitors. For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

    Alternatively, you can configure a network object and apply that object as an Identity Mapping Filter in the identity policy. See Create an Identity Policy.

For the specific versions of ISE/ISE-PIC that are compatible with this version of the system, see the Cisco Firepower Compatibility Guide.

IPv6 support

  • Compatible versions of ISE/ISE-PIC version 2.x include support for IPv6-enabled endpoints.

  • Version 3.0 (patch 2) and later of ISE/ISE-PIC enables IPv6 communication between ISE/ISE-PIC and the management center.

Proxy sequence

A proxy sequence is one or more managed devices that can be used to communicate with an LDAP, Active Directory, or ISE/ISE-PIC server. It is necessary only if CDO cannot communicate with your Active Directory or ISE/ISE-PIC server. (For example, CDO might be in a public cloud but Active Directory or ISE/ISE-PIC might be in a private cloud.)

Although you can use one managed device as a proxy sequence, we strongly recommend you set up two or more so that, in the event one managed device cannot communicate with Active Directory or ISE/ISE-PIC, another managed device can take over.

Approve clients in ISE

Before a connection between the ISE server and the management center succeeds, you must manually approve the clients in ISE. (Typically, there are two clients: one for the connection test and another for ISE agent.)

You can also enable Automatically approve new accounts in ISE as discussed in the chapter on Managing users and external identity sources in the Cisco Identity Services Engine Administrator Guide.

Unreachable sessions are removed
If a user session in ISE/ISE-PIC is reported as unreachable, the Secure Firewall Management Center prunes that session so another user with the same IP cannot match the unreachable user's identity rules.
You can control this behavior in ISE/ISE-PIC by going to Providers > Endpoint Probes and clicking one of the following:

  • Enabled to cause ISE/ISE-PIC to monitor endpoint connections and therefore to cause the Secure Firewall Management Center prune a session from an unreachable user.

  • Disabled to cause ISE/ISE-PIC to ignore endpoint connections.

Security Group Tags (SGT)

A Security Group Tag (SGT) specifies the privileges of a traffic source within a trusted network. Cisco ISE and Cisco TrustSec use a feature called Security Group Access (SGA) to apply SGT attributes to packets as they enter the network. These SGTs correspond to a user's assigned security group within ISE or TrustSec. If you configure ISE as an identity source, the Firepower System can use these SGTs to filter traffic.

Security Group Tags can be used both as source and destination matching criteria in access control rules.

Note

To implement user control using only the ISE SGT attribute tag, you do not need to configure a realm for the ISE server. ISE SGT attribute conditions can be configured in policies with or without an associated identity policy.

Note
In some rules, custom SGT conditions can match traffic tagged with SGT attributes that were not assigned by ISE. This is not considered user control, and works only if you are not using ISE/ISE-PIC as an identity source; see Custom SGT Conditions.
To match destination SGT tags in addition to source SGT tags, the following apply:

Required ISE version: 2.6 patch 6 or later, 2.7 patch 2 or later

Router support: Any Cisco router that supports SGT inline tagging over Ethernet. For more information, consult a reference such as the Cisco Group Based Policy Platform and Capability Matrix Release

Limitations:

  • Quality of Service (QoS) policy uses source SGT matching only; it does not use destination SGT matching

  • RA-VPN does not receive SGT mappings directly through RADIUS

ISE and High Availability
When the primary ISE/ISE-PIC server fails, the following occurs:

As a result of the integration with pxGrid v2, the management center round-robins between both configured ISE hosts until one accepts the connection.

If the connection is lost, the management center resumes round-robin attempts to the connected hosts.

Endpoint Location (or Location IP)

An Endpoint Location attribute is the IP address of the network device that used ISE to authenticate the user, as identified by ISE.

You must configure and deploy an identity policy to control traffic based on Endpoint Location (Location IP).

ISE Attributes

Configuring an ISE connection populates the Secure Firewall Management Center database with ISE attribute data. You can use the following ISE attributes for user awareness and user control. This is not supported with ISE-PIC.

Endpoint Profile (or Device Type)

An Endpoint Profile attribute is the user's endpoint device type, as identified by ISE.

You must configure and deploy an identity policy to control traffic based on Endpoint Profile (Device Type).