cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
789
Views
1
Helpful
8
Replies

Cisco ISE Passive Identity Question

Hello,

I have an existing ISE deployment already integrated with Microsoft AD. Now we have an ongoing implementation of Cisco WSA and there is a requirement to use ISE for transparent authentication. So should I need to purchase additional license for enabling the passive identity service on the existing ISE nodes?. I know that ISE-PIC can be installed as a standalone server, but my plan is to use the existing ISE nodes. Please advise.

Thanks

Shabeeb

2 Accepted Solutions

Accepted Solutions

Passive ID is covered under Base licensing.  Sharing with pxGrid requires Plus.  Do you have enough Plus licensing to cover each of your users who you will need to share with the WSA?  
Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html
Also why Passive ID at all?  If you already have an ISE deployment why not use active authentication data and share that with the WSA?

View solution in original post

Depends which version of the licensing guide you are looking at honestly.  With the 2.7 licensing statements in the admin guide 3000 Base licenses should cover your use-case since the WSA is a Cisco subscriber.  However, you still need Plus licensing to enable the feature.  Based on the current ISE licensing guide you need Advantage (previously Plus) licensing equal to the number of Passive ID sessions you are sharing with pxGrid.

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

what version of WSA ( Async OS  15.X can integrate with ISE )  Do you have ISE/pxgrid  in place ?

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-15-0/user-guide/wsa-userguide-15-0/b_WSA_UserGuide_11_7_chapter_01000.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

I do not need the SGT information from ISE. I just need to use AD user and group information from ISE. My WSA version is 14.x and I think we can still integrate ISE with WSA. 

Hello,

I have seen this link, but could not find what I am looking for. First thing is that the ISE deployment what we have is version 2.7. The question is whether we need additional license for enabling PIC.

Passive ID is covered under Base licensing.  Sharing with pxGrid requires Plus.  Do you have enough Plus licensing to cover each of your users who you will need to share with the WSA?  
Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html
Also why Passive ID at all?  If you already have an ISE deployment why not use active authentication data and share that with the WSA?

Hello,

Thanks a lot for the response. I need to check that with customer. So you mean if I have 3000 users I need to have 3000 plus licenses to have passive ID?.

Depends which version of the licensing guide you are looking at honestly.  With the 2.7 licensing statements in the admin guide 3000 Base licenses should cover your use-case since the WSA is a Cisco subscriber.  However, you still need Plus licensing to enable the feature.  Based on the current ISE licensing guide you need Advantage (previously Plus) licensing equal to the number of Passive ID sessions you are sharing with pxGrid.

check the compatablity matrix, base License covers your needs, make sure you have enough License ISE to integrate with WSA

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help