Have a scenario where Traditional ISE is deployed where ISE is doing 802.1x authentication for iphones and laptops on wireless. They would like to add the Passive-ID (PIC) functionality to their deployment using (WMI) to get identy info from their AD for their wired users. (802.1x authentication is not setup for their wired infrastructure). They want to do this so they can send identity information to their FMC so they can create identity based polices on their FMC.
I would like to confirm the following:
For the identity information obtained from the passive-ID (PIC) functionality, the identity information can be sent to FMC using PxGrid without requiring any Plus licenses. Correct?
For the identity information obtained via 802.1x authentication for their wireless devices, does it require a Plus license to send this identity information to FMC via PxGrid?
If so, does this require a 1:1 mapping of Base to Plus licenses?
I have a related question to ask. Is there a way to share the passive ID info via pxGrid to Cisco devices but not the active authentications? Having both active and passive would be great, but we have many customers using ISE who will never purchase enough plus licensing to make it compliant. I realize they could run a second ISE deployment as ISE-PIC, but that would probably be more expensive than the plus licenses in most cases.
In ISE 2.4 you can set up permissions for pxGrid clients. I was thinking that you could possibly use this to only provide the passive info to clients, but as far as I can tell, it’s all session info or none.