ISE 2.1 introduced a new feature called Easy Connect where Microsoft Active Directory (AD) logins are used to passively map user information onto existing network sessions initiated with MAC Authentication Bypass (MAB). This is similar to a Centralized Web Authentication (CWA) or CWA Chaining scenario where ISE combines an active MAB or 802.1X authentication session with the identity obtained from a Web Authentication. ISE leverages the identity and group memberships from the passive identity (PassiveID) to be used as conditions to assign policy.
The benefits of Easy Connect over 802.1X are:
No 802.1X supplicant required for user authentication
No Public Key Infrastructure (PKI) required for trusted credential transport
Can be used as primary user identity or supplement another active identity such as MAB or 802.1X
Step 1: Navigate to Administration > System > Deployment > (node) > General Settings
Step 2: Enable Passive Identity Service on PSN
Note: It is recommended to enable Easy Connect on two PSN nodes for high availability but no more than two.
Note: Dedicated PSNs are recommended for Easy Connect Passive Identity Mapping
Step 3: Navigate to Administration > PassiveID > AD Domain Controllers
Step 4: Select Add and provide the credentials to your Active Directory domain controllers for PassiveID. Alternatively, you may Import a list of AD controllers via a CSV file.
Step 5: You may customize your Passive Identity caching options under Active Directory General Settings. The User Session Timer is reset when there is a 1) new AD login with the same username or 2) Kerberos ticket renewal
Easy Connect Authorization Policies
Here are a few examples of ISE authorization policies using the PassiveID attributes from Easy Connect :
HelloI have MacBook with Mac OS Catalina (10.15.1)When I try ti used AnyConnect 4.8 on my Mac, I enter vpn dress (vpn.s...com) and I have immediately an error message (before identify window) : "Posture assessment failed : unable to download CSD library. ...
Last thread was marked for spam for some reason, I removed the youtube link that I think caused it. Could you let me know if I am offending the guidelines? I am trying to setup some Cisco products for the first time per my employer's request and am h...
Does Cisco ISE 2.6 supports Cisco Nexus 2k, Nexus 3K, Nexus 5K, Nexus 7K and Nexus 9K series of switches? The Compatibility matrix does not show them.
If supported, can you please guide me to the link/documentation please?
Dear Team, Please help me to sizing Cisco ESA and SMA virtual appliance where Customer want to deploy Cisco ESA Virtual appliance for System generated mails/alerts of various alerts as out going mial th other domain.what parameter shold I need to con...
Hello, We have some strange behaviour with ISE 2.4 : in our infrastructure we have enabled dynamic VLAN matching to VLAN name for the assignment of IP.. Authentication - Dot1X --> Authorization - MAC matching --> Result is Dyna...