Solved: Passive identity on Full ISE

Elly Bornstein · ‎02-28-2018

Hi,

I have a customer running WIRELESS dot1x with ISE 2.2p6 with WSA integration. On the WIRED side, they use CDA+WSA.

Trying to see if we can use the PIC feature set on a fully functional ISE deployment (not ISE PIC) without deploying wired dot1x. This way we can use WMI to authenticate wired users passively and use Pxgrid to pass the info to WSA.

Where is a guide on this?

Timothy Abbott · ‎03-01-2018

I imagine you are assigning a SGT to wireless users and then sharing that information with WSA over pxGrid because that is the only pxGrid topic the WSA pxGrid client currently looks for. Unfortunately, the only option to get the same result on the wired side is to deploy wired 802.1X an assign a SGT. This is because ISE and ISE-PIC (both use the same PassiveID features) currently do not have the CDA RADIUS interface that the WSA needs to get the user to IP mapping for identity.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎03-01-2018

I imagine you are assigning a SGT to wireless users and then sharing that information with WSA over pxGrid because that is the only pxGrid topic the WSA pxGrid client currently looks for. Unfortunately, the only option to get the same result on the wired side is to deploy wired 802.1X an assign a SGT. This is because ISE and ISE-PIC (both use the same PassiveID features) currently do not have the CDA RADIUS interface that the WSA needs to get the user to IP mapping for identity.

Regards,

-Tim