Looking for a design validation for a customer.
Customer is using Clearpass for wireless and wants to do:
- RADIUS proxy from Clearpass to ISE but only with RADIUS accounting to extract the username. Clearpass is performing the Authentication/Authorization and these 2 are not proxied
- ISE will then retrieve the AD groups associated to the username and use it to map an SGT.
- This SGT-IP mapping will then be sent via SXP to FMC-FTD for enforcement.
Is this a supported design? Do we use the same design criterias for scalability based on concurrent endpoints in this scenario and the same licensing consumption?
Thanks