https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3827868#M474396 <P>Our customer is looking&nbsp; a two step authentication/authorization. At first the manged clients should be authenticated via a machine certificate based on EAP-TLS and after being authorized a second step is needed when a user logs on to the client, the client should be moved to another vlan or maybe get a different dACL. According to the presentation &nbsp;Cisco live presentation BRKSEC 3697 from Orlando 2018 you can see on page 163 that the combination of 802.1X with Passive ID is supported.</P> <P>&nbsp;</P> <P>Is this a supported deployment use case ?&nbsp; If yes then will&nbsp;&nbsp;ISE-PIC support this use case or must we deploy full ISE product ?</P> Fri, 21 Feb 2020 19:04:07 GMT mpeeters 2020-02-21T19:04:07Z https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3827868#M474396 <P>Our customer is looking&nbsp; a two step authentication/authorization. At first the manged clients should be authenticated via a machine certificate based on EAP-TLS and after being authorized a second step is needed when a user logs on to the client, the client should be moved to another vlan or maybe get a different dACL. According to the presentation &nbsp;Cisco live presentation BRKSEC 3697 from Orlando 2018 you can see on page 163 that the combination of 802.1X with Passive ID is supported.</P> <P>&nbsp;</P> <P>Is this a supported deployment use case ?&nbsp; If yes then will&nbsp;&nbsp;ISE-PIC support this use case or must we deploy full ISE product ?</P> Fri, 21 Feb 2020 19:04:07 GMT https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3827868#M474396 mpeeters 2020-02-21T19:04:07Z https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3828490#M474397 <P>So far, we have not validated it for wireless. If wired, yes, that is supported.</P> Thu, 28 Mar 2019 20:29:27 GMT https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3828490#M474397 hslai 2019-03-28T20:29:27Z https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3828504#M474399 <P>To verify&nbsp; as I thought ISE-PIC only supported passive authentication ( hence the name PIC).</P> <P>&nbsp;</P> <P>&nbsp; ISE-PIC supports the use case that includes both 802.1x active authentication as well as easyconnect passive authentication for wired only.&nbsp; The wireless use case has not been validated.</P> <P>&nbsp;</P> <P>Are there any known issues or simply not tested by Cisco.</P> Thu, 28 Mar 2019 20:44:53 GMT https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3828504#M474399 mpeeters 2019-03-28T20:44:53Z https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3829210#M474477 <P>Since most customers adapting wireless 802.1X well enough, there does not seem a need for pure wireless support, besides it unlikely secure. A more common use case would be moving between wired and wireless. Either way, please discuss it with our product management team.</P> Sat, 30 Mar 2019 03:15:18 GMT https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3829210#M474477 hslai 2019-03-30T03:15:18Z https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3829211#M474478 <P>What we are discussing here is Easy Connect, which make use of Passive Identity (PIC). To be clear.</P> Sat, 30 Mar 2019 03:17:02 GMT https://community.cisco.com/t5/network-access-control/does-ise-pic-support-this-two-step-authentication-authorization/m-p/3829211#M474478 hslai 2019-03-30T03:17:02Z