ISE EasyConnect and 802.1X machine authentication integration...

rezaalikhani · ‎03-07-2022

Hi all;

Because of some limitations of implementing User-based 802.1X port-based authentication (like, a user cannot change an expired password), I want to implements machine-based 802.1X authentication (based on PEAP - MSCHAPv2). Based on this document, it is a supported scenario. So, I have implemented machine-based 802.1X and now everything looks great. Please look at the following figure:

I have created the above Authorization Policy for the purpose of this scenario (machine-based 802.1X authentication).

Now, I created the following Authorization Policy for the purpose of implementing EasyConnect:

Although I have enabled the "Passive Identity Tracking" option for "HR_Users" Authorization Profile, when a user in "HR_Users" group logins to the machine, ISE does not match with the above rule!

Any ideas?

Thanks

Arne Bier · ‎03-08-2022

Is your integration with AD working correctly? It's been a while since I tried this, but I recall that you can see all the events in ISE (if the WMI integration is working)

rezaalikhani · ‎03-08-2022

Thanks for your reply...

My first question is that, is this scenario supported by Cisco?

My second question is, are the configured policies are correct?

Yes, I have checked the AD integration, and everything is OK!

hslai · ‎03-09-2022

If your ISE is of 2.2 before Patch 17, 2.4 before Patch 13, 2.6 before Patch 7, you might run into a known bug which resolved in these patch releases.

rezaalikhani · ‎03-10-2022

Thanks for your reply;

Can you please give me the link of any docs that help me to implement this scenario?

Thanks

Arne Bier · ‎03-10-2022

You can try this link here.

And Labminutes.com has a two part video series where you can watch how it's done (Easy Connect using Passive ID)