Solved: Re: ISE - disable 802.1x events to propagate to PassiveID sessions

Amir Asfandyarov · ‎05-17-2019

Hello Team,

We are using full-blown ISE (no ISE-PIC) for usual 802.1x (EAP-TLS-based Machine auth mainly) and now configuring same ISE deployment for PassiveID to distribute User-IP mappings from AD (via ISE AD Agents) towards WSA and FMC. We are not aiming to distribute 802.1x-related mappings (as they do not contain usernames but hostnames) but AD-retrieved mappings.

When PassiveID gets enabled, Live Sessions for PassiveID gets populated with mappings retrieved from 802.1x which is undesired behaviour for us - for e.g. such mappings gets advertised to WSA, giving us hostname-> IP mapping instead of AD_based username-IP.

2 questions:

- is there a way to restrict ISE PassiveID nodes from getting/processing 802.1x-related data?

- if both are still processed/distributed via pxGrid, is there any preference (what takes precedence if ISE sees different "username" (hostname vs actual AD username) for the same IP?

Thank you!

p.s. Could not really find this documented and do not see any configuration tweaks on ISE for that.

jeppich · ‎05-17-2019

Hey Amir,

Please email me directly, i would like to setup a webex and get more details.

Thanks,

John

jeppich@cisco.com

View solution in original post

hslai · ‎05-17-2019

The issue seems more due to the fact that the same ISE deployment used for both Passive ID and regular RADIUS authentication, and the fact that the same pxGrid topic(s) used to propagate to WSA. If either different sets of NADs used for Passive ID and regular RADIUS auth or the NADs able to direct the requests to two different ISE deployments, you might want to try two ISE deployments.

Otherwise, you may try adding mapping filters under ISE Admin Web UI > Work Centers > Passive ID > Providers > Mapping Filters.

I will also check with our team further on this.

Amir Asfandyarov · ‎05-17-2019

Hi Hsing-Tsu, Thank you, would be interesting to hear what team says. I see this as a possible/frequent use-case especially with WSA 11.7/FMC/etc integration in place - always is appealing to deploy/keep 1 ISE instance instead of deploying 2 sets of ISE nodes to workaround that... I found CSCvg24447 "ENH: Publish passiveid session to pxgrid" and discovered that ISE does "stitching" but that does not help - WSA does not understand switched records, FMC still need to test. Amir

jeppich · ‎05-17-2019

Hey Amir,

Please email me directly, i would like to setup a webex and get more details.

Thanks,

John

jeppich@cisco.com

securantakra · ‎07-02-2019

Hello together,

we have exakt the same requirement. what was your solution?

thanks
Andreas

Amir Asfandyarov · ‎07-03-2019

Hello Andreas.

There is no solution as such if this is your requirement:

- use a separate ISE-PIC deployment for passive ID (but remember that you only can associate one ISE instance with FMC or Stealthwatch, for example, so may not work in your environment). You can probably connect two ISE instances via Syslog PassiveID (send AAA logs from one instance to another);

- still propagate events 802.1x/PassiveID to WSA/FMC/SW. In our case this means that machine 802.1x auth will be substituted with user 802.1x auth in some time (supplicant reconfiguration), which up to some point solves an issue. Another issue remains though - if you have non-802.1x-enabled endpoints (MAB) and still want authenticated access from them, you have to do some active authentication on FTD/WSA (solution may vary depending on the requirements - captive portal, guest portal on ISE which propagates syslog to PassiveID, etc).

Please open a case with TAC and ask to attach your case to two enhancements and/or request account team to expedite the following enhancements:

CSCvq01811 filter radius trafic using mapping filter

CSCvg24447 ENH: Publish passiveid session to pxgrid

Amir