When a user authenticates using 802.1x over WiFi ACS/ISE I do not see a successful authentication event on a domain controller.

If you have ISE configured differently so that my wireless users will actually create an event in Windows that has a username in it I would be interested to see how you are doing that.

To the best of my knowledge that was not possible, which was why for CX/PRSM Cisco had to patch the CDA to parse out syslog from CX.

That is correct you will not see logon/logoff for users that authenticated to RADIUS. As far as I know there is no workaround. I'm hoping that some day soon sourcefire will use CDA instead of its own User Agent.

The problem with PxGrid is that it requires additional ISE licensing.

From my org's point of view we bought into CX and it didn't have ISE RADIUS identity integration. We waited and then by the time we recieved it the CX platform was on it's way out after roughly two years.

At this point we basically got credited back every dime we put into CX and are going to pay the difference for SF but I go back to not having feature parity and potentially having to buy more licensing to get it.

This is all pretty absurd when you consider that I am not wanting to do anything more than parse out text and associate it with a matched IP.

I am still waiting to hear back from a Cisco SE that our sales rep put me in touch with. If I hear anything definitive I should at least be able to provide closure for anyone who hits this thread.

I agree - your points are similar to the ones I've made myself to the Cisco Security CSEs I work with as a partner.

Add your voice to the choir - that's how we get the responsible product manager to make it a priority.

The answer that I recieved was in line with these features coming first half of this year using pxGrid. There was one or two other workarounds mentioned but they aren't comprable to the way it is being done today in CX.

I am getting some quotes on adding Plus licensing to our ISE Base.

There is an upside in that ISE can use pxGrid technology to get identity from AD so the SourceFire Agent would be unnecessary and everything would just flow through ISE.

Between that and the fact that I have to license passive gear makes it a tough pill to swallow.

So to cap this thread off the pricing on pxGrid isn't bad at all if that is all you want from ISE. 

pxGrid doesn't actually consume licenses. You can purchase the smallest cheapest PLUS license and get pxGrid/TrustSEC. 

I have to admit that changes my initial position. It doesn't sound like the SF Agent was stable and in my experience neither was CDA. 

For the cost it absolutely makes the most sense to use ISE to pull that data. 

This feature has been bumped back in the timeline. Internal documentation will say second half of 2015 however the Cisco employees I spoke with said not to count on it until Q1 2016.

So I used the FireSight AD Agent for the first time. I take back everything bad I said about the CDA, the AD Agent has proven to function far less consistently. 

I agree. I complained loud and clear to Cisco product managers, CSEs and TMEs while I was at Cisco Live about the various identity integration solutions being all over the map.

None of them work particularly well in my opinion (except perhaps ISE which is a great product but by no means ubiquitous nor should it be a prerequisite to get user identity). 

Funny. That was pretty much our office conversation today. ISE is going to be perfect. For those that own ISE.  

Although upcharging for a technological pivot that essentially provides the same feature isn't a new thing for Cisco. 

CX > FirePower

Show n Share > vBrick

DMM > AppSpace

TCS > Virtual TCS

MCU Bridge > Virtual Telepresence Server

VCS > CUCM

And that is just our last fiscal year.