Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Cisco Employee

does ise pic support this two step authentication authorization wireless use case

Our customer is looking  a two step authentication/authorization. At first the manged clients should be authenticated via a machine certificate based on EAP-TLS and after being authorized a second step is needed when a user logs on to the client, the client should be moved to another vlan or maybe get a different dACL. According to the presentation  Cisco live presentation BRKSEC 3697 from Orlando 2018 you can see on page 163 that the combination of 802.1X with Passive ID is supported.


Is this a supported deployment use case ?  If yes then will  ISE-PIC support this use case or must we deploy full ISE product ?

Cisco Employee

So far, we have not validated it for wireless. If wired, yes, that is supported.

To verify  as I thought ISE-PIC only supported passive authentication ( hence the name PIC).


  ISE-PIC supports the use case that includes both 802.1x active authentication as well as easyconnect passive authentication for wired only.  The wireless use case has not been validated.


Are there any known issues or simply not tested by Cisco.

Since most customers adapting wireless 802.1X well enough, there does not seem a need for pure wireless support, besides it unlikely secure. A more common use case would be moving between wired and wireless. Either way, please discuss it with our product management team.

What we are discussing here is Easy Connect, which make use of Passive Identity (PIC). To be clear.

Content for Community-Ad