Create an Identity Mapping Filter
An identity mapping filter can be used to limit the networks to which an identity rule applies. For example, if your management center manages FTDs that have a limited amount of memory, you can limit the networks they monitor.
You must create separate identity mapping filters for IPv4 and IPv6 addresses.
You can also optionally exclude subnets from the following:
-
Receiving user-to-IP and Security Group Tag (SGT)-to-IP mappings from ISE.
You should typically do this for lower-memory managed devices to prevent Snort identity health monitor memory errors.
Before you begin
Perform the following tasks:
-
Create a realm, which is required for an identity policy. See Create an LDAP Realm or an Active Directory Realm and Realm Directory.
-
Create an identity policy. See Create an Identity Policy.
-
Create a network object or network group object as discussed in Creating Network Objects. The network object or group you create should define the network you want managed devices to monitor in identity policies.
Procedure
Step 1 | Log in to the management center. | ||
Step 2 | Click . | ||
Step 3 | Click Edit (). | ||
Step 4 | Click the Identity Source tab. | ||
Step 5 | From the Identity Mapping Filter list, choose the name of a network object to use as a filter . To create a new network object, see Creating Network Objects.
| ||
Step 6 | Click Save. | ||
Step 7 | (Not required for Microsoft Azure AD realms.) Deploy configuration changes to managed devices; see Deploy Configuration Changes. |
What to do next
To check or change ISE identity mapping filters (also referred to as subnet filters), use the following commands:
show identity-subnet-filter
configure identity-subnet-filter { add | remove } subnet