06-28-2019 06:57 AM
Is there an easy way to get user identity in ISE 2.1 when using machine authentication for 802.1x. My end goal is to have a IP to username mapping, and to use pxGrid to allow my WSA to grab that mapping as well.
My current setup uses 802.1x Peap (Eap-MSChapv2) for authentication so when looking at radius logs, the only info is the system name or mac address. The systems are authenticated against AD which is setup as an External Identity source.
I was doing some reading on Passive Identity using Easy Connect in Visibility-mode but it seems likes a lot of changes on my AD server will have to occur before setting this up, and I didn't see any support for Windows Server 2016.
Are there any other options within ISE to accomplish this?
If I already have the AD External ID Source setup, do I even need Easy Connect to get the user info?
Solved! Go to Solution.
06-28-2019 09:01 AM
Yes, as you noted there are two options:
- Force user authentication
- Passive-ID
Windows 2016 should be supported with ISE 2.2+.
06-28-2019 09:01 AM
Yes, as you noted there are two options:
- Force user authentication
- Passive-ID
Windows 2016 should be supported with ISE 2.2+.
06-28-2019 09:42 AM
PassiveID in ISE 2.1 is WMI and yes, will require several modifications to AD but it should still provide a user to IP mapping even without EasyConnect. Also as you pointed out, 2.1 doesn't have support for AD 2016. You would need to upgrade to a newer version of ISE for that support.
Regards,
-Tim
06-28-2019 10:25 AM
07-01-2019 04:41 AM
In the near future I hope to get to 2.4 but there are a lot of moving parts that rely on our ISE and we are a little wary that the upgrade will break something.
07-01-2019 04:44 AM
I have read this on other forums as well but haven't been able to find a clear Cisco guide for this. How would I setup PassiveID without using EasyConnect? I don't want to have to make any changes to my AD server for simple IP to User mappings.
Thanks.
06-29-2019 12:01 AM
07-01-2019 04:38 AM
You may be right. I'm new to the WSA's and was unfamiliar with the transparent authentication feature. I will do some more reading on it.
Another reason I was looking at pxgrid was to also use it to share user identity with infoblox.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide