does ise pic support this two step authentication authorization wireless use case

mpeeters · ‎03-28-2019

Our customer is looking a two step authentication/authorization. At first the manged clients should be authenticated via a machine certificate based on EAP-TLS and after being authorized a second step is needed when a user logs on to the client, the client should be moved to another vlan or maybe get a different dACL. According to the presentation Cisco live presentation BRKSEC 3697 from Orlando 2018 you can see on page 163 that the combination of 802.1X with Passive ID is supported.

Is this a supported deployment use case ? If yes then will ISE-PIC support this use case or must we deploy full ISE product ?

hslai · ‎03-28-2019

So far, we have not validated it for wireless. If wired, yes, that is supported.

mpeeters · ‎03-28-2019

To verify as I thought ISE-PIC only supported passive authentication ( hence the name PIC).

ISE-PIC supports the use case that includes both 802.1x active authentication as well as easyconnect passive authentication for wired only. The wireless use case has not been validated.

Are there any known issues or simply not tested by Cisco.

hslai · ‎03-29-2019

Since most customers adapting wireless 802.1X well enough, there does not seem a need for pure wireless support, besides it unlikely secure. A more common use case would be moving between wired and wireless. Either way, please discuss it with our product management team.

hslai · ‎03-29-2019

What we are discussing here is Easy Connect, which make use of Passive Identity (PIC). To be clear.