Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1844
Views
0
Helpful
5
Replies

Questions regarding Radius + PassiveID

Go to solution
Nicholas DiNofrio
Cisco Employee
Cisco Employee

‎05-02-2018 10:28 AM

Wanted to get more information regarding the use of PassiveID and when it should not be used.


For example, if endpoint supplicant is configured for (Radius) Machine Authentication via EAP-TLS and User-to-IP mapping via PassiveID is desired, is this type of flow supported/compatible?   I ask because we see that the provider is WMI in the Radius Session (Live Session on ISE) but we don't have user information.


We are also looking into leveraging EasyConnect with ISE 2.2 software because it appears we may be able to perform Dot1x for machine identity and then Wired Mab for user identity and PassiveID (user-to-IP mapping) stitched together.


The main issue is that we are working to get PassiveID user information that appears to be successfully obtained from WMI but not found in ISE Live Session or from PassiveID report.


Could you share the best practices when using PassiveID and without EasyConnect if Radius session is expected to overwrite or take priority over the PassiveID user information?


Please let me know if there are any questions or need any additional details.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Nicholas DiNofrio

‎05-02-2018 01:37 PM

If your requirement is to get user or merged identity from session where identities exists from both 802.1X machine auth and passive-ID, then no that is not supported yet.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-02-2018 12:27 PM

802.1X + Easy Connect use case is not supported. Easy Connect was developed to provide visibility of 'who is behind the endpoint' when 802.1X is not used. Easy Connect enforcement can be enabled by enabling MAB to assign SGT or ACL. If enabling supplicant is not an issue, I suggest looking into enabling it for user auth as well to get user identity information via 802.1x. If combining of machine & user auth is desired then EAP-Chaining should be considered.

0 Helpful

Go to solution
Nicholas DiNofrio
Cisco Employee
Cisco Employee
In response to howon

‎05-02-2018 12:42 PM

Is Machine Authentication (Dot1x) & Passive ID via WMI (not EasyConnect) supported?

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Nicholas DiNofrio

‎05-02-2018 01:37 PM

If your requirement is to get user or merged identity from session where identities exists from both 802.1X machine auth and passive-ID, then no that is not supported yet.

0 Helpful

Go to solution
Nicholas DiNofrio
Cisco Employee
Cisco Employee
In response to howon

‎05-02-2018 02:56 PM

Thank you very much, believe that explains why we don't get user identity information when endpoint supplicant configured for Machine Auth (Dot1x).

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Nicholas DiNofrio

‎04-02-2019 10:39 PM

Hi,

 

I have the same requirement, it would be nice to have them merge. Especially for customers looking to take on pxgrid with stable machine auth environments. Is this being tracked or developed for future support. or do we migrate their dot1x config to use both user auth and machine auth?

 

thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents