This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Our customer is looking a two step authentication/authorization. At first the manged clients should be authenticated via a machine certificate based on EAP-TLS and after being authorized a second step is needed when a user logs on to the client, the client should be moved to another vlan or maybe get a different dACL. According to the presentation Cisco live presentation BRKSEC 3697 from Orlando 2018 you can see on page 163 that the combination of 802.1X with Passive ID is supported.
Is this a supported deployment use case ? If yes then will ISE-PIC support this use case or must we deploy full ISE product ?
To verify as I thought ISE-PIC only supported passive authentication ( hence the name PIC).
ISE-PIC supports the use case that includes both 802.1x active authentication as well as easyconnect passive authentication for wired only. The wireless use case has not been validated.
Are there any known issues or simply not tested by Cisco.
Since most customers adapting wireless 802.1X well enough, there does not seem a need for pure wireless support, besides it unlikely secure. A more common use case would be moving between wired and wireless. Either way, please discuss it with our product management team.