Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
Bookmark
|
Subscribe
|
38432
Views
25
Helpful
2
Comments

ISE Easy Connect

thomas
Cisco Employee
Cisco Employee

‎06-15-2016 11:54 AM - edited ‎11-20-2023 09:48 AM

 

ISE 2.1 introduced a new feature called Easy Connect where Microsoft Active Directory (AD) logins are used to passively map user information onto existing network sessions initiated with MAC Authentication Bypass (MAB).  This is similar to a Centralized Web Authentication (CWA) or CWA Chaining scenario where ISE combines an active MAB or 802.1X authentication session with the identity obtained from a Web Authentication.  ISE leverages the identity and group memberships from the passive identity (PassiveID) to be used as conditions to assign policy.

The benefits of Easy Connect over 802.1X are:

  • No 802.1X supplicant required for user authentication
  • No Public Key Infrastructure (PKI) required for trusted credential transport
  • Can be used as primary user identity or supplement another active identity such as MAB or 802.1X

 

Get Started

How to Configure Easy Connect on ISE 2.1

 

802.1X vs Easy Connect Comparison

  802.1X Easy Connect
Requires Microsoft Active Directory No Yes, with WMI access allowed from ISE
Identity Stores
  • ISE Local User Accounts
  • RADIUS server Proxy
  • Microsoft Active Directory
  • LDAP
  • ODBC
  • Token server
 Microsoft Active Directory
Machine Authentication Methods
  • Certificates (EAP-TLS, etc.)
  • Windows Domain Credential
 None
User Authentication Methods
  • Username + Password
  • One-Time Password (OTP) tokens
  • Certificates (EAP-TLS, etc.)
  • Protected Access Credential (PAC)  such as EAP-FAST)
 Kerberos User login - not Machine
User Logoff Detection Yes.
Note: Fast User Switching (FUS) not detected		 No - not detected via WMI, but AD login from different user will overwrite Passive Identity for endpoint.
Note: Fast User Switching (FUS) not detected.
Session Expiration RADIUS Session-Timeout (configurable in ISE authorization policy results) User Session age (configurable in ISE Active Directory settings)
Supported Operating Systems
  • Windows
  • MacOS
  • Linux
  • Microsoft Windows
  • MacOS (with Login Option for Network Server)
Agents
  • Native OS supplicant
  • Cisco AnyConnect
 None (Microsoft Windows OS)
Network Devices
  • Wired Switches
  • Wireless controllers
  • Wired switches
  • Wireless controllers not QA tested.
NAD Configuration 802.1X
See the ISE Design Guides for best practice switchport configs		 MAB or 802.1X (required for ISE to stitch RADIUS session with PassiveID info)
Enforcement VLANs, dACLs, SGTs VLANs, dACLs, SGTs
Identity & Session published to pxGrid Yes Yes
Scale Depends on the Authentication Method's encryption requirements and round-trips.
See ISE Performance & Scale		 TBD

 

 

Enable Easy Connect

How to Configure Easy Connect on ISE 2.1

To enable Easy Connect in ISE:

  1. Navigate to Administration > System > Deployment > (node) > General Settings
  2. Enable Passive Identity Service on PSN
    Note: It is recommended to enable Easy Connect on two PSN nodes for high availability but no more than two.
    Note: Dedicated PSNs are recommended for Easy Connect Passive Identity Mapping
  3. Navigate to Administration > PassiveID > AD Domain Controllers
  4. Select Add and provide the credentials to your Active Directory domain controllers for PassiveID. Alternatively, you may Import a list of AD controllers via a CSV file.
  5. You may customize your Passive Identity caching options under Active Directory General Settings.
    The User Session Timer is reset when there is a 1) new AD login with the same username or 2) Kerberos ticket renewal

 

Easy Connect Authorization Policies

Here are a few examples of ISE authorization policies using the PassiveID attributes from Easy Connect :

 

 

Resources

 

Comments
yadavmanjits1
Level 1
Level 1
‎08-13-2018 04:44 AM

Hi Thomas,

 

Thanks for the wonderful article.

 

May i please check with 2 things :

1. Does Easy Connect Supported on Wireless network also (CISCO AP & WLC).

2. Can Easy Connect & BYOD Solution co-exist on the same ISE box (With Different AUTHE & AUHTO Profile).

 

Thanks

MS

James L
Level 1
Level 1
‎03-16-2020 05:30 PM

When will support for Mac come about?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Top