Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
1
Helpful
8
Replies

Cisco ISE Passive Identity Question

Go to solution
SHABEEB KUNHIPOCKER
Level 3
Level 3

‎09-20-2023 07:41 AM

Hello,

I have an existing ISE deployment already integrated with Microsoft AD. Now we have an ongoing implementation of Cisco WSA and there is a requirement to use ISE for transparent authentication. So should I need to purchase additional license for enabling the passive identity service on the existing ISE nodes?. I know that ISE-PIC can be installed as a standalone server, but my plan is to use the existing ISE nodes. Please advise.

Thanks

Shabeeb

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎09-20-2023 08:16 AM

Passive ID is covered under Base licensing.  Sharing with pxGrid requires Plus.  Do you have enough Plus licensing to cover each of your users who you will need to share with the WSA?  
Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html
Also why Passive ID at all?  If you already have an ISE deployment why not use active authentication data and share that with the WSA?

View solution in original post

Go to solution
ahollifield
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎09-20-2023 08:50 AM

Depends which version of the licensing guide you are looking at honestly.  With the 2.7 licensing statements in the admin guide 3000 Base licenses should cover your use-case since the WSA is a Cisco subscriber.  However, you still need Plus licensing to enable the feature.  Based on the current ISE licensing guide you need Advantage (previously Plus) licensing equal to the number of Passive ID sessions you are sharing with pxGrid.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-20-2023 07:52 AM

what version of WSA ( Async OS  15.X can integrate with ISE )  Do you have ISE/pxgrid  in place ?

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-15-0/user-guide/wsa-userguide-15-0/b_WSA_UserGuide_11_7_chapter_01000.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to balaji.bandi

‎09-20-2023 08:11 AM

Hello,

I do not need the SGT information from ISE. I just need to use AD user and group information from ISE. My WSA version is 14.x and I think we can still integrate ISE with WSA. 

0 Helpful

Go to solution
SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to ahollifield

‎09-20-2023 08:13 AM

Hello,

I have seen this link, but could not find what I am looking for. First thing is that the ISE deployment what we have is version 2.7. The question is whether we need additional license for enabling PIC.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎09-20-2023 08:16 AM

Passive ID is covered under Base licensing.  Sharing with pxGrid requires Plus.  Do you have enough Plus licensing to cover each of your users who you will need to share with the WSA?  
Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html
Also why Passive ID at all?  If you already have an ISE deployment why not use active authentication data and share that with the WSA?

Go to solution
SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to ahollifield

‎09-20-2023 08:37 AM

Hello,

Thanks a lot for the response. I need to check that with customer. So you mean if I have 3000 users I need to have 3000 plus licenses to have passive ID?.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎09-20-2023 08:50 AM

Depends which version of the licensing guide you are looking at honestly.  With the 2.7 licensing statements in the admin guide 3000 Base licenses should cover your use-case since the WSA is a Cisco subscriber.  However, you still need Plus licensing to enable the feature.  Based on the current ISE licensing guide you need Advantage (previously Plus) licensing equal to the number of Passive ID sessions you are sharing with pxGrid.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to SHABEEB KUNHIPOCKER

‎09-20-2023 08:46 AM

check the compatablity matrix, base License covers your needs, make sure you have enough License ISE to integrate with WSA

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents