Cisco ISE and passiveID

Maciej Waliszko · ‎09-27-2021

Hello,

The scenario is as follows:

- two node ISE 2.7 deployment

- at the moment a customer doesn't have a possibility to configure 802.1x on their switches and WLC

- the final goal is to create user/group based access control on FTD firewall (6.7)

From what I have read so far the last version of FTD where firepower user agent was supported is 6.6

PassiveID came to my mind as directly configured on their ISE or ISE-PIC and then based on that the integration with FTD through pxgrid.

Now I wonder about the disadvantages of that kind of deployement. Let's say the hypothetical scenario is:

1) user comes to work and then a wired cable is attached to the PC. Windows is started. User logs in. The wired and wireless connection is automatically established. Will I see TWO mappings in this case to the same user?

USER1 -> IP1 (wired IP)

USER1 -> IP2 (wireless IP)

?

2) user comes to work and then a wired cable is attached to the PC. Windows is started. User logs in. The wired connection is automatically established (wireless connection is not started automatically - that's how it is configured).

The mapping:

USER1 -> IP1 (wired IP)

User is doing his work during the day. Next he detaches the wired cable and connects via wireless. Will Windows OS send the NEW mapping in this case?

USER1 -> IP2 (wireless IP)

?

I have a strong feeling that those two above scenarios are problematic ...

Can anyone say something interesting about them to confirm my suspicions?

Maciej Waliszko · ‎09-28-2021

Nobody knows the answer and can't share her/his experience? Even from Cisco itself?

My guess is that Windows OS will not send duplicate/another logon event when it is already booted up... However I am not 100% sure about that and that's why I am asking all of you guys here.