05-17-2019 07:30 AM
Hello Team,
We are using full-blown ISE (no ISE-PIC) for usual 802.1x (EAP-TLS-based Machine auth mainly) and now configuring same ISE deployment for PassiveID to distribute User-IP mappings from AD (via ISE AD Agents) towards WSA and FMC. We are not aiming to distribute 802.1x-related mappings (as they do not contain usernames but hostnames) but AD-retrieved mappings.
When PassiveID gets enabled, Live Sessions for PassiveID gets populated with mappings retrieved from 802.1x which is undesired behaviour for us - for e.g. such mappings gets advertised to WSA, giving us hostname-> IP mapping instead of AD_based username-IP.
2 questions:
- is there a way to restrict ISE PassiveID nodes from getting/processing 802.1x-related data?
- if both are still processed/distributed via pxGrid, is there any preference (what takes precedence if ISE sees different "username" (hostname vs actual AD username) for the same IP?
Thank you!
p.s. Could not really find this documented and do not see any configuration tweaks on ISE for that.
Solved! Go to Solution.
05-17-2019 11:27 AM
Hey Amir,
Please email me directly, i would like to setup a webex and get more details.
Thanks,
John
jeppich@cisco.com
05-17-2019 10:31 AM
The issue seems more due to the fact that the same ISE deployment used for both Passive ID and regular RADIUS authentication, and the fact that the same pxGrid topic(s) used to propagate to WSA. If either different sets of NADs used for Passive ID and regular RADIUS auth or the NADs able to direct the requests to two different ISE deployments, you might want to try two ISE deployments.
Otherwise, you may try adding mapping filters under ISE Admin Web UI > Work Centers > Passive ID > Providers > Mapping Filters.
I will also check with our team further on this.
05-17-2019 11:01 AM
05-17-2019 11:27 AM
Hey Amir,
Please email me directly, i would like to setup a webex and get more details.
Thanks,
John
jeppich@cisco.com
07-02-2019 10:59 PM
Hello together,
we have exakt the same requirement. what was your solution?
thanks
Andreas
07-03-2019 12:17 AM - edited 07-03-2019 12:47 AM
Hello Andreas.
There is no solution as such if this is your requirement:
- use a separate ISE-PIC deployment for passive ID (but remember that you only can associate one ISE instance with FMC or Stealthwatch, for example, so may not work in your environment). You can probably connect two ISE instances via Syslog PassiveID (send AAA logs from one instance to another);
- still propagate events 802.1x/PassiveID to WSA/FMC/SW. In our case this means that machine 802.1x auth will be substituted with user 802.1x auth in some time (supplicant reconfiguration), which up to some point solves an issue. Another issue remains though - if you have non-802.1x-enabled endpoints (MAB) and still want authenticated access from them, you have to do some active authentication on FTD/WSA (solution may vary depending on the requirements - captive portal, guest portal on ISE which propagates syslog to PassiveID, etc).
Please open a case with TAC and ask to attach your case to two enhancements and/or request account team to expedite the following enhancements:
CSCvq01811 filter radius trafic using mapping filter
CSCvg24447 ENH: Publish passiveid session to pxgrid
Amir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide