06-29-2018 08:17 AM - edited 02-21-2020 10:59 AM
Have a scenario where Traditional ISE is deployed where ISE is doing 802.1x authentication for iphones and laptops on wireless. They would like to add the Passive-ID (PIC) functionality to their deployment using (WMI) to get identy info from their AD for their wired users. (802.1x authentication is not setup for their wired infrastructure). They want to do this so they can send identity information to their FMC so they can create identity based polices on their FMC.
I would like to confirm the following:
For the identity information obtained from the passive-ID (PIC) functionality, the identity information can be sent to FMC using PxGrid without requiring any Plus licenses. Correct?
For the identity information obtained via 802.1x authentication for their wireless devices, does it require a Plus license to send this identity information to FMC via PxGrid?
If so, does this require a 1:1 mapping of Base to Plus licenses?
Thanks
-Dan
Solved! Go to Solution.
07-24-2018 04:58 AM
My understanding (from the Ordering Guide, page7, table 7) is that for Passive Identity pxGrid connections, only a Base License is required.
Whereas authentications that are done by ISE (802.1x, etc.) will require a 1:1 Base:Plus License
This is called out on the bottom of Page 6, but is worded poorly, creating a lot of confusion.
As broken down in this table (Page 6, table 6) that refers to table 7:
07-18-2018 06:58 AM
Dan,
Identity sharing over pxGrid to Cisco solutions is included in the base license.
Regards,
-Tim
07-24-2018 04:58 AM
My understanding (from the Ordering Guide, page7, table 7) is that for Passive Identity pxGrid connections, only a Base License is required.
Whereas authentications that are done by ISE (802.1x, etc.) will require a 1:1 Base:Plus License
This is called out on the bottom of Page 6, but is worded poorly, creating a lot of confusion.
As broken down in this table (Page 6, table 6) that refers to table 7:
08-13-2018 10:46 AM
I have a related question to ask. Is there a way to share the passive ID info via pxGrid to Cisco devices but not the active authentications? Having both active and passive would be great, but we have many customers using ISE who will never purchase enough plus licensing to make it compliant. I realize they could run a second ISE deployment as ISE-PIC, but that would probably be more expensive than the plus licenses in most cases.
In ISE 2.4 you can set up permissions for pxGrid clients. I was thinking that you could possibly use this to only provide the passive info to clients, but as far as I can tell, it’s all session info or none.
Any ideas? Am I missing something?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide