FMC-ISE-AD Integration for CCIE Security

FMC-ISE-AD Integration

Introduction

In our ever-evolving IT industry, new devices and technologies are constantly introduced to existing networks to ensure their dynamism and adaptability. To achieve this, it is crucial to integrate various technologies and devices in order to maintain network security.

One significant shift that has taken place in approaching networks is the granting of access to end-users based on their identity rather than the network they are connected from. To enable this capability, interaction between several devices that are working together needs to be analyzed. I am going to go through one such example in this blog to explain how this implementation is achieved.

FMC-ISE-AD Integration in real life

Let's consider a simple example of providing internet access to an end-user based on their User/Group credentials, rather than configuring traditional IP-based Access Control. In our network, all end-users are located in VLAN 10 (10.1.1.0/24), belonging to different departments in the company. Their access should be determined by their identity when accessing the Outside Network (R2) through the Firepower Threat Defense (FTD) firewall.

Let's discuss the challenges and solutions for different aspects of this flow:

  • The Firewall Management Center (FMC) needs to know the Users/Group names to create an Access Control Policy based on their identities. This information is available on the Active Directory Server. To accomplish this, we can integrate the FMC with the Active Directory Domain, allowing us to create policies based on the same database used for end-user authentication.

  • To grant network access and discover the dynamically assigned IP addresses, we need to authenticate the devices using a network device, the Switch. We will utilize Dot1x authentication to establish a relationship between the Switch and ISE (Identity Services Engine) through the RADIUS protocol. ISE will authenticate the end-users based on the same Username/Group Database used to create the Access Control Policy on the FMC -Active Directory integration. By integrating the Active Directory with ISE, ISE will be able to authenticate the user and determine the IP address assigned to them by the DHCP Server.

  • At this point, the user has an assigned IP address and is ready to communicate with the network outside of the FTD Firewall. However, when the end-user sends data traffic towards the Outside network, the packet only contains the source IP address of the device, lacking information about the Active Directory user who logged into the device. FMC requires a mapping between the User/Group and the Dynamic IP assigned to the user. This mapping is available on ISE. To resolve this, we will integrate FMC with ISE using pxGrid, enabling FMC to obtain this information. Consequently, when the packet arrives at the FTD, it can correlate the User/Group name with the corresponding IP address, providing the required access.

To summarize the process, we will integrate FMC with Active Directory, allowing us to download the User/Group Database onto FMC. The FMC administrator will then create an Access Control Policy based on this information.

Next, when an end-user connects to the network, the switch will prompt them for a Username/Password. ISE will receive the response from the end-user and forward the authentication request to Active Directory for validation, thanks to the integration between ISE and Active Directory. Active Directory will validate the user, and ISE will inform the switch to grant access to the end-user. The end-user will be connected to the network and receive an IP address from the DHCP Server. The switch will retrieve this information and map the User/Group to the assigned IP. ISE will pass this information to FMC using pxGrid.

With this integration, FMC now has a mapping between the User/Group and the dynamically assigned IP address. When the end-user sends a packet towards the outside network, FMC will utilize the User/Group mapping and IP address information to enforce the Access Control Policy rules.

Conclusion

The transformation towards identity-based network access, rather than conventional IP-based access, presents a dynamic and secure approach to network management. This method enables us to manage network access in a more personalized, secure, and effective manner, reinforcing our IT infrastructure. By integrating FMC with Active Directory and employing ISE for user authentication and IP mapping, we can implement precise Access Control Policy rules, ensuring each user only accesses the network resources they are authorized for. This strategy not only strengthens our network security but also enhances the user experience. It's a fascinating journey of adapting and innovating, which underscores our commitment to staying at the forefront of the ever-evolving IT landscape.