Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
1
Helpful
4
Replies

link FMC connection to user that not exist in AD but in ISE

Go to solution
yongwli
Cisco Employee
Cisco Employee

‎09-19-2017 09:17 AM

Hi Team,

Can we link FMC(firepower) connections to user that not exist in AD but in ISE? IE. Guest users or users not logon AD but use AD username/password for EAP auth.

Thanks

DL

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to yongwli

‎09-20-2017 06:09 AM

I responded to that post to help clarify.  Both George and Tim (other post) are correct.  Do not confuse the limitations of ISE-PIC with full blown ISE.  ISE can publish login info for both Passive ID and active auth from guests and users that login via AD credentials.

Note that use of AD credentials for network login does not equate to an AD login event.  For example, I can login using PEAP with AD credentials without triggering an AD login event.  AD login is what occurs when you enter credentials at CTRL-ALT-DEL, or perform specific access request to AD then entails AD login privileges.  Therefore, do not expect Passive ID event to be present if simply using AD credentials for network logon.

RADIUS auth is considered Active auth.  Passive ID is Passive auth.

ISE supports both.  ISE-PIC supports passive only.

On a side note, it is possible for ISE to combine both active auth with passive auth, for example, assign access based on successful 802.1X machine auth via ISE + successful user AD login outside of ISE.  I call this Easy Connect Chaining, or EZC Chaining.

/Craig

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gbekmezi-DD
Level 5
Level 5

‎09-19-2017 05:06 PM

Yes you can. You can do this with pxGrid integration and ISE. It will require Plus licenses in ISE.

George

0 Helpful

Go to solution
yongwli
Cisco Employee
Cisco Employee
In response to gbekmezi-DD

‎09-20-2017 04:36 AM

find a post after I post this discussion, it seems the answer is no. Don't know which one is correct.

Re: Query on passive ID with FMC 6.2 and pxGrid integration to ISE 2.2

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to yongwli

‎09-20-2017 06:09 AM

I responded to that post to help clarify.  Both George and Tim (other post) are correct.  Do not confuse the limitations of ISE-PIC with full blown ISE.  ISE can publish login info for both Passive ID and active auth from guests and users that login via AD credentials.

Note that use of AD credentials for network login does not equate to an AD login event.  For example, I can login using PEAP with AD credentials without triggering an AD login event.  AD login is what occurs when you enter credentials at CTRL-ALT-DEL, or perform specific access request to AD then entails AD login privileges.  Therefore, do not expect Passive ID event to be present if simply using AD credentials for network logon.

RADIUS auth is considered Active auth.  Passive ID is Passive auth.

ISE supports both.  ISE-PIC supports passive only.

On a side note, it is possible for ISE to combine both active auth with passive auth, for example, assign access based on successful 802.1X machine auth via ISE + successful user AD login outside of ISE.  I call this Easy Connect Chaining, or EZC Chaining.

/Craig

0 Helpful

Go to solution
yongwli
Cisco Employee
Cisco Employee

‎09-20-2017 09:54 AM

understood, very clear, many thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents