cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

388
Views
10
Helpful
7
Replies
RaymondBrown1165
Beginner

ISE User Identity Info

Is there an easy way to get user identity in ISE 2.1 when using machine authentication for 802.1x.  My end goal is to have a IP to username mapping, and to use pxGrid to allow my WSA to grab that mapping as well.

 

My current setup uses 802.1x Peap (Eap-MSChapv2) for authentication so when looking at radius logs, the only info is the system name or mac address.  The systems are authenticated against AD which is setup as an External Identity source. 

 

I was doing some reading on Passive Identity using Easy Connect in Visibility-mode but it seems likes a lot of changes on my AD server will have to occur before setting this up, and I didn't see any support for Windows Server 2016. 

 

Are there any other options within ISE to accomplish this?

If I already have the AD External ID Source setup, do I even need Easy Connect to get the user info?  

1 ACCEPTED SOLUTION

Accepted Solutions
howon
Cisco Employee

Yes, as you noted there are two options:

- Force user authentication

- Passive-ID

Windows 2016 should be supported with ISE 2.2+.

View solution in original post

7 REPLIES 7
howon
Cisco Employee

Yes, as you noted there are two options:

- Force user authentication

- Passive-ID

Windows 2016 should be supported with ISE 2.2+.

View solution in original post

Timothy Abbott
Cisco Employee

PassiveID in ISE 2.1 is WMI and yes, will require several modifications to AD but it should still provide a user to IP mapping even without EasyConnect.  Also as you pointed out, 2.1 doesn't have support for AD 2016.  You would need to upgrade to a newer version of ISE for that support.

 

Regards,

-Tim

In the near future I hope to get to 2.4 but there are a lot of moving parts that rely on our ISE and we are a little wary that the upgrade will break something.

I have read this on other forums as well but haven't been able to find a clear Cisco guide for this.  How would I setup PassiveID without using EasyConnect?  I don't want to have to make any changes to my AD server for simple IP to User mappings.

 

Thanks.

Damien Miller
VIP Advisor

Wouldn't it be easier to use transparent authentication with an AD authentication realm on the WSA to accomplish this, rather than trying to collect the identity via isepic/ise/pxgrid.

You may be right.  I'm new to the WSA's and was unfamiliar with the transparent authentication feature.  I will do some more reading on it.

 

Another reason I was looking at pxgrid was to also use it to share user identity with infoblox.

Content for Community-Ad