ISE 2.1 introduced a new feature called Easy Connect where Microsoft Active Directory (AD) logins are used to passively map user information onto existing network sessions initiated with MAC Authentication Bypass (MAB). This is similar to a Centralized Web Authentication (CWA) or CWA Chaining scenario where ISE combines an active MAB or 802.1X authentication session with the identity obtained from a Web Authentication. ISE leverages the identity and group memberships from the passive identity (PassiveID) to be used as conditions to assign policy.
The benefits of Easy Connect over 802.1X are:
No 802.1X supplicant required for user authentication
No Public Key Infrastructure (PKI) required for trusted credential transport
Can be used as primary user identity or supplement another active identity such as MAB or 802.1X
Step 1: Navigate to Administration > System > Deployment > (node) > General Settings
Step 2: Enable Passive Identity Service on PSN
Note: It is recommended to enable Easy Connect on two PSN nodes for high availability but no more than two.
Note: Dedicated PSNs are recommended for Easy Connect Passive Identity Mapping
Step 3: Navigate to Administration > PassiveID > AD Domain Controllers
Step 4: Select Add and provide the credentials to your Active Directory domain controllers for PassiveID. Alternatively, you may Import a list of AD controllers via a CSV file.
Step 5: You may customize your Passive Identity caching options under Active Directory General Settings. The User Session Timer is reset when there is a 1) new AD login with the same username or 2) Kerberos ticket renewal
Easy Connect Authorization Policies
Here are a few examples of ISE authorization policies using the PassiveID attributes from Easy Connect :
Hi we implemented ISE 2.4 along with proxy server. we've noticed that if a new user is trying to logon to windows he got an error message "there are currently no logon servers available to service the logon request". the cached user can log...
Hi All, Please find attached diagram where on my ASA SSL VPN is configured to access my internal network behind my another vendor firewall i.e FORTIGATE. But Now my Company wants that users from outside connect to SSL Vpn using an ASA and after ...
Hi I would like to generate a report to view top users by URL category, how can I generate such report in FMC?When I click any URL Category in Dashboard it open it in Connection Events, not an overview report like Context Explorer. Thanks
Hi, I'm running outdated and unsupported v.4.9.3 with an HA pair of CAMs and HA pair of CASs. Using basic captive portal for both guest unsecured and employee secured wireless authentication, along with MAC AUTH. I have been using two SSL certificates ove...
Hi,After update to 12.1.0, https GUI cert was deleted. When I try to import it again get error "Certificate lifetime must not exceed 18250 days".AsyncOS v.11 worked correctly with the same certificate.Because of our company has Corporate Root CA until 207...