Our customer is looking a two step authentication/authorization. At first the manged clients should be authenticated via a machine certificate based on EAP-TLS and after being authorized a second step is needed when a user logs on to the client, the client should be moved to another vlan or maybe get a different dACL. According to the presentation Cisco live presentation BRKSEC 3697 from Orlando 2018 you can see on page 163 that the combination of 802.1X with Passive ID is supported.
Is this a supported deployment use case ? If yes then will ISE-PIC support this use case or must we deploy full ISE product ?
