Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5943
Views
10
Helpful
3
Replies

Passive-ID identity sharing and pxgrid

Go to solution
danhamil
Cisco Employee
Cisco Employee

‎06-29-2018 08:17 AM - edited ‎02-21-2020 10:59 AM

Have a scenario where Traditional ISE is deployed where ISE is doing 802.1x authentication for iphones and laptops on wireless.  They would like to add the Passive-ID (PIC) functionality to their deployment using (WMI) to get identy info from their AD for their wired users. (802.1x authentication is not setup for their wired infrastructure).  They want to do this so they can send identity information to their FMC so they can create identity based polices on their FMC.

I would like to confirm the following:

For the identity information obtained from the passive-ID (PIC) functionality, the identity information can be sent to FMC using PxGrid without requiring any Plus licenses. Correct?

For the identity information obtained via 802.1x authentication for their wireless devices, does it require a Plus license to send this identity information to FMC via PxGrid?

If so, does this require a 1:1 mapping of Base to Plus licenses?

Thanks

-Dan

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎07-24-2018 04:58 AM

My understanding (from the Ordering Guide, page7, table 7) is that for Passive Identity pxGrid connections, only a Base License is required.

pxgrid_passive.png

 

 

Whereas authentications that are done by ISE (802.1x, etc.) will require a 1:1 Base:Plus Licensepxgrid_active.png

 

 

This is called out on the bottom of Page 6, but is worded poorly, creating a lot of confusion.pxgrid_active2.png

 As broken down in this table (Page 6, table 6) that refers to table 7:pxgrid.png

 

 

 

 

View solution in original post

3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎07-18-2018 06:58 AM

Dan,

Identity sharing over pxGrid to Cisco solutions is included in the base license.

Regards,

-Tim

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎07-24-2018 04:58 AM

My understanding (from the Ordering Guide, page7, table 7) is that for Passive Identity pxGrid connections, only a Base License is required.

pxgrid_passive.png

 

 

Whereas authentications that are done by ISE (802.1x, etc.) will require a 1:1 Base:Plus Licensepxgrid_active.png

 

 

This is called out on the bottom of Page 6, but is worded poorly, creating a lot of confusion.pxgrid_active2.png

 As broken down in this table (Page 6, table 6) that refers to table 7:pxgrid.png

 

 

 

 

Go to solution
bilclay
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎08-13-2018 10:46 AM

I have a related question to ask. Is there a way to share the passive ID info via pxGrid to Cisco devices but not the active authentications? Having both active and passive would be great, but we have many customers using ISE who will never purchase enough plus licensing to make it compliant. I realize they could run a second ISE deployment as ISE-PIC, but that would probably be more expensive than the plus licenses in most cases.

 

In ISE 2.4 you can set up permissions for pxGrid clients.   I was thinking that you could possibly use this to only provide the passive info to clients, but as far as I can tell, it’s all session info or none.   

 

Any ideas?  Am I missing something?  

0 Helpful
Customers Also Viewed These Support Documents