Solved: Can I use PIC with MAB (Easy Connect)?

thomas · ‎10-20-2016

Rather than configure 802.1X on the switches and endpoints, can I just do MAB and use PIC to get the users' identity?

Timothy Abbott · ‎10-20-2016

Hi Thomas,

MAC Authentication Bypass (MAB) is a form or authentication. You can use it in conjunction with PassiveID in ISE for EasyConnect. Unfortunately, ISE-PIC does not support any form of authentication such as RADIUS 802.1X, MAB, or EasyConnect. ISE-PIC features are passive only.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎10-20-2016

Hi Thomas,

MAC Authentication Bypass (MAB) is a form or authentication. You can use it in conjunction with PassiveID in ISE for EasyConnect. Unfortunately, ISE-PIC does not support any form of authentication such as RADIUS 802.1X, MAB, or EasyConnect. ISE-PIC features are passive only.

Regards,

-Tim

Aaron Woland · ‎11-07-2016

To pile onto that: ISE-PIC is just a form factor of ISE that cuts down the features and meets a specific price-point for a passive-ID ONLY solution.

All the ISE-PIC functionality is in full ISE! So go with full ISE, using BASE licensing to get you the EasyConnect use-cases that Tim is referring to.

PIC will only learn of authentications from another source, and share them to the "subscribers" like StealthWatch. If you are going to use any network authentication/authorization (MAB, 802.1X, EzConnect, TrustSec, etc.) then you need to move to the normal ISE form-factor and not the cut-down passive-only package.

Hope that adds clarity.

Aaron