Solved: Re: USER Information

raymondmf · ‎04-18-2019

Currently have ISE deployed using EAP-TLS machine certificates. Would like now to be able to see the user information for those machines. Was told ISE-PIC will do that, but I am also told that is not the case as I already am doing EAP-TLS.

Need a little clarification as to whether it means I do need to actually have to authenticate users as well.

kthiruve · ‎04-22-2019

Question is why do you want to use ISE-PIC and what is the use case?

ISE-PIC is used for Passive authentication using AD agent, syslogs, WMI and a few other ways. if you want active authentication you need ISE. ISE-PIC can gather information from AD but you need to consume this somewhere right?

https://community.cisco.com/t5/security-documents/ise-pic-faq/ta-p/3639377

If you want to authenticate user/machine for certificate authentication using EAP-TLS use ISE.

Thanks

Krishnan

View solution in original post

paul · ‎04-18-2019

ISE-PIC is just a stripped down version of ISE. You already are running the full version of ISE. You have two options:

Change your authentication on the clients to doing computer or user certificates. Of course this means dealing with user cert enrollment, first time user logon, etc.
Setup passive ID in ISE to scrap user to IP mapping from the domain controllers.

kthiruve · ‎04-22-2019