In case of customer having a requirement of having the endpoints connected to the wired network without dot1x using passive identity (Easyconnect) can identify the AD user information for the connected endpoint. The concern is can ISE can check for the guest endpoint on the same / different port on the wired network since both will be using MAB as the authentication protocol.
Why not use CWA for guests? This fits into typical config models where both 802.1X and MAB are configured with FlexAuth. If one method fails, it falls back to other. CWA is based on MAB auth method to allow secure access for guests as well as IoT endpoints.
When ISE not receiving user info from PassiveID, there is no session merge so the guest endpoints can continue with ISE guest flow. When ISE receiving PassiveID info, then it merges the session and provide Easy Connect access.
Why not use CWA for guests? This fits into typical config models where both 802.1X and MAB are configured with FlexAuth. If one method fails, it falls back to other. CWA is based on MAB auth method to allow secure access for guests as well as IoT endpoints.
/Craig
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
