cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5395
Views
10
Helpful
3
Replies

Passive-ID identity sharing and pxgrid

danhamil
Cisco Employee
Cisco Employee

Have a scenario where Traditional ISE is deployed where ISE is doing 802.1x authentication for iphones and laptops on wireless.  They would like to add the Passive-ID (PIC) functionality to their deployment using (WMI) to get identy info from their AD for their wired users. (802.1x authentication is not setup for their wired infrastructure).  They want to do this so they can send identity information to their FMC so they can create identity based polices on their FMC.

I would like to confirm the following:

For the identity information obtained from the passive-ID (PIC) functionality, the identity information can be sent to FMC using PxGrid without requiring any Plus licenses. Correct?

For the identity information obtained via 802.1x authentication for their wireless devices, does it require a Plus license to send this identity information to FMC via PxGrid?

If so, does this require a 1:1 mapping of Base to Plus licenses?

Thanks

-Dan

1 ACCEPTED SOLUTION

Accepted Solutions

My understanding (from the Ordering Guide, page7, table 7) is that for Passive Identity pxGrid connections, only a Base License is required.

pxgrid_passive.png

 

 

Whereas authentications that are done by ISE (802.1x, etc.) will require a 1:1 Base:Plus Licensepxgrid_active.png

 

 

This is called out on the bottom of Page 6, but is worded poorly, creating a lot of confusion.pxgrid_active2.png

 As broken down in this table (Page 6, table 6) that refers to table 7:pxgrid.png

 

 

 

 

View solution in original post

3 REPLIES 3

Timothy Abbott
Cisco Employee
Cisco Employee

Dan,

Identity sharing over pxGrid to Cisco solutions is included in the base license.

Regards,

-Tim

My understanding (from the Ordering Guide, page7, table 7) is that for Passive Identity pxGrid connections, only a Base License is required.

pxgrid_passive.png

 

 

Whereas authentications that are done by ISE (802.1x, etc.) will require a 1:1 Base:Plus Licensepxgrid_active.png

 

 

This is called out on the bottom of Page 6, but is worded poorly, creating a lot of confusion.pxgrid_active2.png

 As broken down in this table (Page 6, table 6) that refers to table 7:pxgrid.png

 

 

 

 

I have a related question to ask. Is there a way to share the passive ID info via pxGrid to Cisco devices but not the active authentications? Having both active and passive would be great, but we have many customers using ISE who will never purchase enough plus licensing to make it compliant. I realize they could run a second ISE deployment as ISE-PIC, but that would probably be more expensive than the plus licenses in most cases.

 

In ISE 2.4 you can set up permissions for pxGrid clients.   I was thinking that you could possibly use this to only provide the passive info to clients, but as far as I can tell, it’s all session info or none.   

 

Any ideas?  Am I missing something?  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: