Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
1
Helpful
2
Replies

Passive ID Mapping and SAML SSO

Go to solution
ccotting
Cisco Employee
Cisco Employee

‎09-14-2016 01:19 AM

Looking for some input on a use case we’re attempting configure.

Use Case:

Auth device via endpoint cert = permit and redirect to IdP for user auth

User auth successful = permit and apply dacl per AD group mapping

Problem:  IdP is home grown, only able to pass back the user ID and email address in the assertion

Question:  Understanding passive ID has a restriction of CWA not being supported, since we are doing machine auth via the certificate, are we able to do the following:

Auth Z

Use case = guest flow = permit (reauth occurs) - COA reauth result

CWA auth’d & posture unknown = posture

Posture=compliant & passiveid=ad group x then dacl

Machine in AD group X = permit, redirect to SSO for auth

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-14-2016 09:00 AM

Passive ID in ISE 2.1 is not vetted for DOT1X so might not work well with machine auth.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-14-2016 09:00 AM

Passive ID in ISE 2.1 is not vetted for DOT1X so might not work well with machine auth.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-14-2016 09:04 AM

What about Machine cert + CWA?

Customers Also Viewed These Support Documents