Cisco Cisco Firepower Management Center 2000 Guía Para Resolver Problemas

Step 1: FMC retrieves a list of the Security Groups from ISE.

Step 2: Access control policies are created on FMC that includes Security Groups as condition.

Step 3: When endpoints authenticate and authorize with ISE, session data is published to FMC.

Step 4: FMC builds a User-IP-SGT mapping file, and pushes it to the sensor.

Step 5: The source IP address of the traffic is used to match Security Group using session data
from the User-IP mapping.

Step 6: If the Security Group of the traffic source matches the condition in the access control
policy, action is taken by sensor accordingly.

An FMC retrieves a complete SGT list when the configuration for ISE integration is saved under
System > Integration > Identity Sources > Identity Services Engine.

Note: Clicking Test button (as shown below) does not trigger FMC to retrieve SGT data.

The communication between FMC and ISE is facilitated by ADI (Abstract Directory Interface),
which is a unique process (there can only be one instance) running on FMC. Other processes on
FMC subscribe to ADI and request information. Currently the only component that subscribes to
ADI is the data correlator. 

FMC saves the SGT in a local database. The database contains both the SGT name and number,
but currently FMC uses a unique identifier (Secure Tag ID) as handle when processing SGT data.
This database is also propagated to the sensors.

If ISE Security Groups are changed, such as removal or addition of groups, ISE pushes a pxGrid
notification to FMC to update the local SGT database.

When a user authenticates with ISE and authorizes with a Security Group Tag, ISE notifies FMC