Create an Identity Mapping Filter

An identity mapping filter can be used to limit the networks to which an identity rule applies. For example, if your management center manages FTDs that have a limited amount of memory, you can limit the networks they monitor.

You can also optionally exclude subnets from the following:

  • Receiving user-to-IP and Security Group Tag (SGT)-to-IP mappings from ISE.

You should typically do this for lower-memory managed devices to prevent Snort identity health monitor memory errors.

Before you begin

Perform the following tasks:

  1. Create a realm, which is required for an identity policy. See Create an LDAP Realm or an Active Directory Realm and Realm Directory.

  2. Create an identity policy. See Create an Identity Policy.

  3. Create a network object or network group object as discussed in Creating Network Objects. The network object or group you create should define the network you want managed devices to monitor in identity policies.

Procedure

Step 1

Log in to the management center.

Step 2

Click Policies > Identity.

Step 3

Click Edit (edit icon).

Step 4

Click the Identity Source tab.

Step 5

From the Identity Mapping Filter list, choose the name of a network object to use as a filter .

To create a new network object, see Creating Network Objects.

Note

To restrict traffic to IPv6 addresses, you must add at least one address, network, or group to the filter.

Step 6

Click Save.

Step 7

(Not required for Microsoft Azure AD realms.) Deploy configuration changes to managed devices; see Deploy Configuration Changes.

What to do next

(Not required for Microsoft Azure AD realms.) Associate the identity policy with an access control policy as discussed in Associating Other Policies with Access Control.

To check or change ISE identity mapping filters (also referred to as subnet filters), use the following commands:

show identity-subnet-filter
configure identity-subnet-filter { add | remove } subnet