Troubleshooting ISE e integración de FirePOWER para los servicios de la identidad

admin@firepower:~$ sudo su -
Password: 
root@firepower:~# 
root@firepower:~# openssl genrsa -des3 -out fire.key 4096
Generating RSA private key, 4096 bit long modulus
.........
..............
e is 65537 (0x10001)
Enter pass phrase for fire.key:
Verifying - Enter pass phrase for fire.key:
root@firepower:~# 
root@firepower:~# openssl req -new -key fire.key -out fire.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code []:PL
State or Province Name []:
Locality Name []:
Organization Name []:Cisco
Organizational Unit Name []:TAC
Common Name []:firepower.example.com
Email Address []:
root@firepower:~# 

Verificación

Después de que todo se configure correctamente el ISE debe ver al cliente del pxGrid el inscribir para un servicio de sesión (Online del estatus).

De los registros usted puede también confirmar que FMC ha inscrito para el servicio de TrustSecMetaData (etiquetas SGT) - consiguieron todas las etiquetas y desinscribieron.

Establecimiento de la sesión de VPN

La primera prueba se realiza para un escenario cuando la autorización en el ISE no vuelve la etiqueta correcta SGT (NGIPS no permite las pruebas de auditoría).

Una vez que la sesión de VPN está ENCIMA de la interfaz de usuario de AnyConnect (UI) puede proporcionar más detalles:

Se establece el ASA puede confirmar la sesión:

asav# show vpn-sessiondb anyconnect 

Session Type: AnyConnect

Username     : Administrator          Index        : 1
Assigned IP  : 172.16.50.50           Public IP    : 192.168.10.67
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128                                                                                                                              
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1                                                                                                                               
Bytes Tx     : 11428                  Bytes Rx     : 24604                                                                                                                                                         
Group Policy : POLICY                 Tunnel Group : SSLVPN                                                                                                                                                        
Login Time   : 12:22:59 UTC Wed Dec 2 2015                                                                                                                                                                         
Duration     : 0h:01m:49s                                                                                                                                                                                          
Inactivity   : 0h:00m:00s                                                                                                                                                                                          
VLAN Mapping : N/A                    VLAN         : none                                                                                                                                                          
Audt Sess ID : ac101f6400001000565ee2a3

Note por favor que el ASA ve cualquier etiqueta SGT vuelta para esta autenticación. El ASA no se configura para TrustSec - para saltar la información de todos modos.

El ISE está también señalando la autorización exitosa (el registro en 23:36:19) - ninguna etiqueta SGT vuelta:

FMC que consigue los datos de la sesión del MNT

En esa etapa FMC en /var/log/messages señala una nueva sesión (recibida como suscriptor para el servicio del pxGrid) para las operaciones de búsqueda del nombre de usuario del administrador y del peform AD para la membresía del grupo:

firepower SF-IMS[3554]: [17768] ADI:adi.LdapRealm [INFO] search 
'(|(sAMAccountName=Administrator))' has the following DN: 
'CN=Administrator,CN=Users,DC=example,DC=com'.

Acceso a la red no privilegiado y privilegiado

Cuando en los intentos de ese usuario de la etapa para abrir al buscador Web y a accederlo auditoría el servidor, la conexión será terminada:

Puede ser confirmada por las capturas de paquetes tomadas del cliente (el TCP RST envía según la configuración FMC):

Una vez que el ISE se configura para volver, la sesión de la etiqueta ASA de la auditoría señala:

asav# show vpn-sessiondb anyconnect 

Session Type: AnyConnect

Username     : Administrator          Index        : 1
Assigned IP  : 172.16.50.50           Public IP    : 192.168.10.67
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128                                                                                                                              
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1                                                                                                                               
Bytes Tx     : 11428                  Bytes Rx     : 24604                                                                                                                                                         
Group Policy : POLICY                 Tunnel Group : SSLVPN                                                                                                                                                        
Login Time   : 12:22:59 UTC Wed Dec 2 2015                                                                                                                                                                         
Duration     : 0h:01m:49s                                                                                                                                                                                          
Inactivity   : 0h:00m:00s                                                                                                                                                                                          
VLAN Mapping : N/A                    VLAN         : none                                                                                                                                                          
Audt Sess ID : ac101f6400001000565ee2a3
Security Grp : 9

Se vuelve el ISE es también señala a un interventor de la etiqueta de la autorización exitosa (el registro en 23:37:26) - SGT:

Y el usuario puede acceder el servicio mencionado:

Acceso del registro FMC

Esta actividad se puede confirmar por el informe del evento de conexión:

Primero, el usuario no hizo ninguna etiqueta SGT asignar y golpeaba la regla DenyUnprivileged-HTTP. Una vez que la etiqueta del interventor ha sido asignada por la regla ISE (y extraída por FMC), se utiliza el PermitPrivileged-HTTP y se permite el acceso.

También note eso para tener la visualización, se han quitado las columnas múltiples porque normalmente se visualizan la regla del control de acceso y la etiqueta del grupo de seguridad mientras que una de las columnas más recientes (y de la barra de desplazamiento horizontal necesita ser utilizado). Que la visión personalizada se puede guardar y reutilizar en el futuro.

Troubleshooting

Debugs FMC

Para marcar los registros del componente adi responsables del control /var/log/messages de los servicios de la identidad clasifían:

[23509] ADI_ISE_Test_Help:ADI_ISE_Test_Help [INFO] Parsing command line arguments...            
[23509] ADI_ISE_Test_Help:adi.DirectoryTestHandler [INFO] test: ISE connection.             
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Preparing ISE Connection objects...            
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Preparing subscription objects...             
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] subscribed successfully to EndpointProfileMetaDataCapability            
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] registered callback for capability EndpointProfileMetaDataCapability           
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] subscribed successfully to TrustSecMetaDataCapability            
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] registered callback for capability TrustSecMetaDataCapability           
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] subscribed successfully to SessionDirectoryCapability            
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] registered callback for capability SessionDirectoryCapability           
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Connecting to ISE server...            
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Beginning to connect to ISE server...          
[23510] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:44 [ INFO]: _reconnection_thread started         
[23510] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:44 [ INFO]: pxgrid connection init done successfully      
[23510] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:44 [ INFO]: connecting to host lise20.example.com .......      
[23511] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:44 [ INFO]: stream opened         
[23511] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:44 [ INFO]: EXTERNAL authentication complete        
[23511] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:44 [ INFO]: authenticated successfully (sasl mechanism: EXTERNAL)      
[23510] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: successfully subscribed         
message repeated 2 times               
[23510] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Queried 1 bulk download hostnames:lise20.example.com:8910           
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] ...successfully connected to ISE server.           
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Starting bulk download             
[23514] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://lise20.example.com:8910/pxgrid/mnt/sd/getSessionListByTime'       
[8893] ADI:ADI [INFO] : sub command emits:'* Trying 172.16.31.210...'          
[8893] ADI:ADI [INFO] : sub command emits:'* Connected to lise20.example.com (172.16.31.210) port 8910 (#0)'     
[8893] ADI:ADI [INFO] : sub command emits:'* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH'         
[8893] ADI:ADI [INFO] : sub command emits:'* SSL connection using TLSv1.2 / DHE-RSA-AES256-SHA256'      
[8893] ADI:ADI [INFO] : sub command emits:'* Server certificate:'          
[8893] ADI:ADI [INFO] : sub command emits:'* ^I subject: CN=lise20.example.com'         
[8893] ADI:ADI [INFO] : sub command emits:'* ^I start date: 2015-11-21 14:40:36 GMT'      
[8893] ADI:ADI [INFO] : sub command emits:'* ^I expire date: 2017-11-20 14:40:36 GMT'      
[8893] ADI:ADI [INFO] : sub command emits:'* ^I common name: lise20.example.com (matched)'       
[8893] ADI:ADI [INFO] : sub command emits:'* ^I issuer: DC=com; DC=example; CN=example-WIN-CA'       
[8893] ADI:ADI [INFO] : sub command emits:'* ^I SSL certificate verify ok.'       
[8893] ADI:ADI [INFO] : sub command emits:'> POST /pxgrid/mnt/sd/getSessionListByTime HTTP/1.1^M'         
[8893] ADI:ADI [INFO] : sub command emits:'Host: lise20.example.com:8910^M'           
[8893] ADI:ADI [INFO] : sub command emits:'Accept: */*^M'           
[8893] ADI:ADI [INFO] : sub command emits:'Content-Type: application/xml^M'           
[8893] ADI:ADI [INFO] : sub command emits:'user:firesightisetest-firepower.example.com-0739edea820cc77e04cc7c44200f661e@xgrid.cisco.com^M'            
[8893] ADI:ADI [INFO] : sub command emits:'Content-Length: 269^M'           
[8893] ADI:ADI [INFO] : sub command emits:'^M'            
[8893] ADI:ADI [INFO] : sub command emits:'* upload completely sent off: 269 out of 269 bytes'   
[8893] ADI:ADI [INFO] : sub command emits:'< HTTP/1.1 200 OK^M'         
[8893] ADI:ADI [INFO] : sub command emits:'< Date: Tue, 01 Dec 2015 23:10:45 GMT^M'     
[8893] ADI:ADI [INFO] : sub command emits:'< Content-Type: application/xml^M'          
[8893] ADI:ADI [INFO] : sub command emits:'< Content-Length: 1287^M'          
[8893] ADI:ADI [INFO] : sub command emits:'< Server: ^M'          
[8893] ADI:ADI [INFO] : sub command emits:'< ^M'           
[8893] ADI:ADI [INFO] : sub command emits:'* Connection #0 to host lise20.example.com left intact'     
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] bulk download processed 0 entries.           
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] disconnecting pxgrid              
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: Starting reconnection stop        
[23510] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: _reconnection_thread exited         
[23511] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: stream closed; err_dom=(null) 2015-12-01T23:10:45 [ INFO]: clientDisconnectedCb -> destroying client object
[23511] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: pxgrid connection shutdown done successfully      
[23511] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: Exiting from event base loop      
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: successfully disconnected         
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: connection disconnect done .....       
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] destroying pxgrid reconnection             
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] destroying underlying pxgrid connection            
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] destroying pxgrid config             
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] ISE identity feed destructor called           
[23509] ADI_ISE_Test_Help:ADI_ISE_Test_Help [INFO] /usr/local/sf/bin/adi_iseTestHelp cleanly exits.             
[23509] ADI_ISE_Test_Help:adi.ISEConnection [INFO] Captured Jabberwerx log:2015-12-01T23:10:45 [ INFO]: pxgrid library has been uninitialized      
[8893] ADI:ADI [INFO] Parent done waiting, child completed with integer status 0       

Para conseguir más detallado lo hace el debug de es posible matar al proceso adi (de la raíz después del sudo) y ejecutarlo con el argumento del debug:

root@firepower:/var/log# ps ax | grep adi             
24047 ?        Sl     0:00 /usr/local/sf/bin/adi
24090 pts/0    S+     0:00 grep adi
root@firepower:/var/log# kill -9 24047                 
root@firepower:/var/log# /usr/local/sf/bin/adi --debug
Dec 01 23:14:34 firepower SF-IMS[24106]: [24106] ADI:adi.Adi [DEBUG] adi.cpp:319:HandleLog(): ADI Created, awaiting config
Dec 01 23:14:34 firepower SF-IMS[24106]: [24106] ADI:config [DEBUG] config.cpp:289:ProcessConfigGlobalSettings(): Parsing global settings
<..........a lot of detailed output with data.......>

Interrogación SGT vía el pxGrid

Se ejecuta la operación cuando el botón Test Button se hace clic en la sección de integración ISE o cuando se restaura la lista SGT, mientras que agrega la regla en la directiva del control de acceso.

Dec 01 23:14:38 firepower SF-IMS[24106]: [24139] ADI:adi.ISEConnection [DEBUG] adi.cpp:319:HandleLog(): Querying Security Group metaData...
Dec 01 23:14:38 firepower SF-IMS[24106]: [24139] ADI:adi.pxGridAdapter [DEBUG] adi.cpp:319:HandleLog(): pxgrid_connection_query(connection*:0x10c7da0, capability: 0x1064510, request:<getSecurityGroupListRequest xmlns='http://www.cisco.com/pxgrid/identity'/>)...
Dec 01 23:14:38 firepower SF-IMS[24106]: [24139] ADI:adi.pxGridAdapter [DEBUG] adi.cpp:319:HandleLog(): returns [OK|<ns5:getSecurityGroupListResponse xmlns:ns2='http://www.cisco.com/pxgrid' xmlns:ns3='http://www.cisco.com/pxgrid/net' xmlns:ns4='http://www.cisco.com/pxgrid/admin' xmlns:ns5='http://www.cisco.com/pxgrid/identity' xmlns:ns6='http://www.cisco.com/pxgrid/eps' xmlns:ns7='http://www.cisco.com/pxgrid/netcap' xmlns:ns8='http://www.cisco.com/pxgrid/anc'><ns5:SecurityGroups><ns5:SecurityGroup><ns5:id>fc6f9470-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Unknown</ns5:name><ns5:description>Unknown Security Group</ns5:description><ns5:tag>0</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fc7c8cc0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>ANY</ns5:name><ns5:description>Any Security Group</ns5:description><ns5:tag>65535</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fcf95de0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Auditors</ns5:name><ns5:description>Auditor Security Group</ns5:description><ns5:tag>9</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fd14fc30-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>BYOD</ns5:name><ns5:description>BYOD Security Group</ns5:description><ns5:tag>15</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fd2fb020-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Contractors</ns5:name><ns5:description>Contractor Security Group</ns5:description><ns5:tag>5</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fd4e34a0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Developers</ns5:name><ns5:description>Developer Security Group</ns5:description><ns5:tag>8</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fd6d2e50-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Development_Servers</ns5:name><ns5:description>Development Servers Security Group</ns5:description><ns5:tag>12</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fda10f90-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Employees</ns5:name><ns5:description>Employee Security Group</ns5:description><ns5:tag>4</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fdbcd4f0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Guests</ns5:name><ns5:description>Guest Security Group</ns5:description><ns5:tag>6</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fdd9abc0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Network_Services</ns5:name><ns5:description>Network Services Security Group</ns5:description><ns5:tag>3</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fdf4d4e0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>PCI_Servers</ns5:name><ns5:description>PCI Servers Security Group</ns5:description><ns5:tag>14</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fe11abb0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Point_of_Sale_Systems</ns5:name><ns5:description>Point of Sale Security Group</ns5:description><ns5:tag>10</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fe2d22f0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Production_Servers</ns5:name><ns5:description>Production Servers Security Group</ns5:description><ns5:tag>11</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fe487320-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Production_Users</ns5:name><ns5:description>Production User Security Group</ns5:description><ns5:tag>7</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fe62d8f0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Quarantined_Systems</ns5:name><ns5:description>Quarantine Security Group</ns5:description><ns5:tag>255</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fe7d3ec0-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>Test_Servers</ns5:name><ns5:description>Test Servers Security Group</ns5:description><ns5:tag>13</ns5:tag></ns5:SecurityGroup><ns5:SecurityGroup><ns5:id>fe99c770-6d8f-11e5-978e-005056bf2f0a</ns5:id><ns5:name>TrustSec_Devices</ns5:name><ns5:description>TrustSec Devices Security Group</ns5:description><ns5:tag>2</ns5:tag></ns5:SecurityGroup></ns5:SecurityGroups></ns5:getSecurityGroupListResponse>]

Para un mejor xml de la visión un contenido de ese registro se puede copiar al archivo del xml y abrir por un buscador Web. Usted puede confirmar que se está recibiendo SGT específico (auditoría) así como el resto del SGT se está definiendo en el ISE:

Interrogación de la sesión vía el RESTO API al MNT

Eso es también una probar la operación de la parte de (note por favor que ese nombre de host y puerto MNT está pasado vía el pxGrid). Se utiliza la descarga a granel de la sesión:

Dec 01 23:14:39 firepower SF-IMS[24106]: [24143] ADI:adi.pxGridAdapter [DEBUG] adi.cpp:319:HandleLog(): returns [OK, p_node*:0x7f0ea6ffa8a8(<session xmlns='http://www.cisco.com/pxgrid/net'><gid xmlns='http://www.cisco.com/pxgrid'>ac101f6400007000565d597f</gid><lastUpdateTime xmlns='http://www.cisco.com/pxgrid'>2015-12-01T23:37:31.191+01:00</lastUpdateTime><extraAttributes xmlns='http://www.cisco.com/pxgrid'><attribute>UGVybWl0QWNjZXNzLEF1ZGl0b3Jz</attribute></extraAttributes><state>Started</state><RADIUSAttrs><attrName>Acct-Session-Id</attrName><attrValue>91200007</attrValue></RADIUSAttrs><interface><ipIntfID><ipAddress xmlns='http://www.cisco.com/pxgrid'>172.16.50.50</ipAddress></ipIntfID><macAddress>08:00:27:23:E6:F2</macAddress><deviceAttachPt><deviceMgmtIntfID><ipAddress xmlns='http://www.cisco.com/pxgrid'>172.16.31.100</ipAddress></deviceMgmtIntfID></deviceAttachPt></interface><user><name xmlns='http://www.cisco.com/pxgrid'>Administrator</name><ADUserDNSDomain>example.com</ADUserDNSDomain><ADUserNetBIOSName>EXAMPLE</ADUserNetBIOSName></user><assessedPostureEvent/><endpointProfile>Windows7-Workstation</endpointProfile><securityGroup>Auditors</securityGroup></session>)]
Dec 01 23:14:39 firepower SF-IMS[24106]: [24143] ADI:adi.ISEConnection [DEBUG] adi.cpp:319:HandleLog(): bulk download invoking callback on entry# 1
Dec 01 23:14:39 firepower SF-IMS[24106]: [24143] ADI:adi.ISESessionEntry [DEBUG] adi.cpp:319:HandleLog(): parsing Session Entry with following text:<session xmlns='http://www.cisco.com/pxgrid/net'><gid xmlns='http://www.cisco.com/pxgrid'>ac101f6400007000565d597f</gid><lastUpdateTime xmlns='http://www.cisco.com/pxgrid'>2015-12-01T23:37:31.191+01:00</lastUpdateTime><extraAttributes xmlns='http://www.cisco.com/pxgrid'><attribute>UGVybWl0QWNjZXNzLEF1ZGl0b3Jz</attribute></extraAttributes><state>Started</state><RADIUSAttrs><attrName>Acct-Session-Id</attrName><attrValue>91200007</attrValue></RADIUSAttrs><interface><ipIntfID><ipAddress xmlns='http://www.cisco.com/pxgrid'>172.16.50.50</ipAddress></ipIntfID><macAddress>08:00:27:23:E6:F2</macAddress><deviceAttachPt><deviceMgmtIntfID><ipAddress xmlns='http://www.cisco.com/pxgrid'>172.16.31.100</ipAddress></deviceMgmtIntfID></deviceAttachPt></interface><user><name xmlns='http://www.cisco.com/pxgrid'>Administrator</name><ADUserDNSDomain>example.com</ADUserDNSDomain><ADUserNetBIOSName>EXAMPLE</ADUserNetBIOSName></user><assessedPostureEvent/><endpointProfile>Windows7-Workstation</endpointProfile><securityGroup>Auditors</securityGroup></session>

Y resultado analizado (1 sesión activa recibida):

Dec 01 23:14:39 firepower SF-IMS[24106]: [24142] ADI:adi.ISESessionEntry [DEBUG] 
adi.cpp:319:HandleLog(): Parsing incoming DOM resulted in following ISESessionEntry:
{gid = ac101f6400007000565d597f, timestamp = 2015-12-01T23:37:31.191+01:00, 
state = Started, session_id = 91200007, nas_ip = 172.16.31.100, 
mac_addr = 08:00:27:23:E6:F2, ip = 172.16.50.50, user_name = Administrator, 
sgt = Auditors, domain = example.com, device_name = Windows7-Workstation}

En esa etapa NGIPS es intentos para correlacionar ese nombre de usuario (y el dominio) con el nombre de usuario Reino-AD:

Dec 01 23:14:39 firepower SF-IMS[24106]: [24142] ADI:adi.RealmContainer [DEBUG] adi.cpp:319
:HandleLog(): findRealm: Found Realm for domain example.com
Dec 01 23:14:39 firepower SF-IMS[24106]: [24142] ADI:adi.ISEConnectionSub [DEBUG] 
adi.cpp:319:HandleLog(): userName = 'Administrator' realmId = 2, ipAddress = 172.16.50.50

El LDAP se utiliza para encontrar un usuario y una membresía del grupo:

Dec 01 23:14:39 firepower SF-IMS[24106]: [24142] ADI:adi.LdapRealm [INFO] adi.cpp:322:
HandleLog(): search '(|(sAMAccountName=Administrator))' has the following 
DN: 'CN=Administrator,CN=Users,DC=example,DC=com'.
Dec 01 23:14:39 firepower SF-IMS[24106]: [24142] ADI:adi.LdapRealm [DEBUG] adi.cpp:319:
HandleLog(): getUserIdentifier: searchfield sAMAccountName has display naming attr: 
Administrator.

Debugs ISE

Después de habilitar el debug del nivel de traza para el componente del pxGrid su posible marcar cada operación (pero sin el payload/los datos tenga gusto en FMC).

Ejemplo con la extracción de la etiqueta SGT:

2015-12-02 00:05:39,352 DEBUG  [pool-1-thread-14][] cisco.pxgrid.controller.query.CoreAuthorizationManager -::
:::- checking core authorization (topic=TrustSecMetaData, user=firesightisetest-firepower.example.com
-0739edea820cc77e04cc7c44200f661e@xgrid.cisco.com, operation=subscribe)...
2015-12-02 00:05:39,358 TRACE  [pool-1-thread-14][] cisco.pxgrid.controller.common.
LogAdvice -:::::- args: [TrustSecMetaData, subscribe, firesightisetest-firepower.example.com-0739edea820cc77e04cc7c44200f661e@xg
rid.cisco.com]
2015-12-02 00:05:39,359 DEBUG  [pool-1-thread-14][] cisco.pxgrid.controller.persistence.
XgridDaoImpl -:::::-  groups [Any, Session] found for client firesightisetest-firepower.
example.com-0739edea820cc77e04cc7c44200f661e@xgrid.cisco.com
2015-12-02 00:05:39,360 DEBUG  [pool-1-thread-14][] cisco.pxgrid.controller.persistence.
XgridDaoImpl -:::::- permitted rule found for Session TrustSecMetaData subscribe. 
total rules found 1 

Bug

CSCuv32295 - El ISE puede enviar la información sobre el dominio en los campos de nombre de usuario

CSCus53796 - Incapaz de conseguir el FQDN del host para la interrogación del bulto del RESTO

CSCuv43145 - PXGRID y reinicio del servicio de la asignación de la identidad, importación/cancelación del almacén de la confianza