ISE/ISE-PIC Guidelines and Limitations

Use the guidelines discussed in this section when configuring ISE/ISE-PIC.

ISE/ISE-PIC Version and Configuration Compatibility

Your ISE/ISE-PIC version and configuration affects its integration and interaction with the Secure Firewall Management Center, as follows:

  • We strongly recommend you use the latest version of ISE/ISE-PIC to get the latest feature set.

  • Synchronize the time on the ISE/ISE-PIC server and the Secure Firewall Management Center. Otherwise, the system might perform user timeouts at unexpected intervals.

  • To implement user control using ISE or ISE-PIC data, configure and enable a realm for the ISE server assuming the pxGrid persona as described in Create an LDAP realm or an Active Directory realm and realm directory.

  • Each Secure Firewall Management Center host name that connects to an ISE server must be unique; otherwise, the connection to one of the Secure Firewall Management Centers will be dropped.

  • If you configure ISE/ISE-PIC to monitor a large number of user groups, the system might drop user mappings based on groups due to managed device memory limitations. As a result, rules with realm or user conditions might not perform as expected.

    For any device running version 6.7 or later, you can optionally use the configure identity-subnet-filter command to limit the subnets that the managed device monitors. For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

    Alternatively, you can configure a network object and apply that object as an Identity Mapping Filter in the identity policy. See Create an Identity Policy.

For the specific versions of ISE/ISE-PIC that are compatible with this version of the system, see the Cisco Firepower Compatibility Guide.

IPv6 support

  • Compatible versions of ISE/ISE-PIC version 2.x include support for IPv6-enabled endpoints.

  • Version 3.0 (patch 2) and later of ISE/ISE-PIC enables IPv6 communication between ISE/ISE-PIC and the Firewall Management Center.

Approve clients in ISE

Before a connection between the ISE server and the Firewall Management Center succeeds, you must manually approve the clients in ISE. (Typically, there are two clients: one for the connection test and another for ISE agent.)

You can also enable Automatically approve new accounts in ISE as discussed in the chapter on Managing users and external identity sources in the Cisco Identity Services Engine Administrator Guide.

Security Group Tags (SGT)

A Security Group Tag (SGT) specifies the privileges of a traffic source within a trusted network. Cisco ISE and Cisco TrustSec use a feature called Security Group Access (SGA) to apply SGT attributes to packets as they enter the network. These SGTs correspond to a user's assigned security group within ISE or TrustSec. If you configure ISE as an identity source, the Firepower System can use these SGTs to filter traffic.

Security Group Tags can be used both as source and destination matching criteria in access control rules.

Note

To implement user control using only the ISE SGT attribute tag, you do not need to configure a realm for the ISE server. ISE SGT attribute conditions can be configured in policies with or without an associated identity policy.

Note
In some rules, custom SGT conditions can match traffic tagged with SGT attributes that were not assigned by ISE. This is not considered user control, and works only if you are not using ISE/ISE-PIC as an identity source; see Custom SGT Conditions.
To match destination SGT tags in addition to source SGT tags, the following apply:

Required ISE version: 2.6 patch 6 or later, 2.7 patch 2 or later

Router support: Any Cisco router that supports SGT inline tagging over Ethernet. For more information, consult a reference such as the Cisco Group Based Policy Platform and Capability Matrix Release

Limitations:

  • Quality of Service (QoS) policy uses source SGT matching only; it does not use destination SGT matching

  • RA-VPN does not receive SGT mappings directly through RADIUS

ISE and High Availability
When the primary ISE/ISE-PIC server fails, the following occur:

  • Until the standby is promoted to primary, the user database on the secondary ISE/ISE-PIC server is read-only.

    Users added to the repository (for example, Active Directory) are not downloaded to the Secure Firewall Management Center and those users are identified as Unknown.

    New SGTs are not used.

  • After the standby is promoted to primary, all operations return to normal; that is, users are downloaded, new SGTs are used, and users are identified if possible.

Endpoint Location (or Location IP)

An Endpoint Location attribute is the IP address of the network device that used ISE to authenticate the user, as identified by ISE.

You must configure and deploy an identity policy to control traffic based on Endpoint Location (Location IP).

ISE Attributes

Configuring an ISE connection populates the Secure Firewall Management Center database with ISE attribute data. You can use the following ISE attributes for user awareness and user control. This is not supported with ISE-PIC.

Endpoint Profile (or Device Type)

An Endpoint Profile attribute is the user's endpoint device type, as identified by ISE.

You must configure and deploy an identity policy to control traffic based on Endpoint Profile (Device Type).