Solved: Re: Cisco ISE 802.1x with PassiveID

peter.matuska1 · ‎04-03-2024

Hi,

we have EAP-FAST (machine and user authentication) working. Can we enable passiveid on this ISE to get more information from AD? Is it supported configuration? Won't it cause any trouble since ISE will see the same record for a user from 802.1x and passiveid?

thank you

ahollifield · ‎04-08-2024

Yeah I would really push back on that decision.

View solution in original post

ahollifield · ‎04-03-2024

Why would you want to do this? Passive ID is way less accurate than active authentication which you already have with EAP-FAST.

peter.matuska1 · ‎04-03-2024

some devices may not have anyconnect installed so at least something.

ahollifield · ‎04-03-2024

What type of devices do y have AnyConnect installed that would still be authenticating against AD? What extra visibility are you looking for by scraping AD login events?

peter.matuska1 · ‎04-04-2024

Customer wants to do the FW rules for servers where anyconnect cannot be installed. So the passiveid is enabled for them.

ahollifield · ‎04-05-2024

Why do you need ISE/Passive ID for server firewall rules? Don’t they have static IPs? Who is logging into the servers to even generate a AD login event? What about non-Windows servers?

peter.matuska1 · ‎04-08-2024

not sure, not my decision

ahollifield · ‎04-08-2024

Yeah I would really push back on that decision.