ISE 2.1 introduced a new feature called Easy Connect where Microsoft Active Directory (AD) logins are used to passively map user information onto existing network sessions initiated with MAC Authentication Bypass (MAB). This is similar to a Centralized Web Authentication (CWA) or CWA Chaining scenario where ISE combines an active MAB or 802.1X authentication session with the identity obtained from a Web Authentication. ISE leverages the identity and group memberships from the passive identity (PassiveID) to be used as conditions to assign policy.
The benefits of Easy Connect over 802.1X are:
No 802.1X supplicant required for user authentication
No Public Key Infrastructure (PKI) required for trusted credential transport
Can be used as primary user identity or supplement another active identity such as MAB or 802.1X
Step 1: Navigate to Administration > System > Deployment > (node) > General Settings
Step 2: Enable Passive Identity Service on PSN
Note: It is recommended to enable Easy Connect on two PSN nodes for high availability but no more than two.
Note: Dedicated PSNs are recommended for Easy Connect Passive Identity Mapping
Step 3: Navigate to Administration > PassiveID > AD Domain Controllers
Step 4: Select Add and provide the credentials to your Active Directory domain controllers for PassiveID. Alternatively, you may Import a list of AD controllers via a CSV file.
Step 5: You may customize your Passive Identity caching options under Active Directory General Settings. The User Session Timer is reset when there is a 1) new AD login with the same username or 2) Kerberos ticket renewal
Easy Connect Authorization Policies
Here are a few examples of ISE authorization policies using the PassiveID attributes from Easy Connect :
Hi Team,We have 2 ISP with our Firepower and we are looking into redundancy for our AnyConnect VPN and we found the Backup Server.Our request:We just want AnyConnect to automatically reconnect to the Backup Server in the list when a remote anyconnect user...
Hello, For whatever reason ISE 2.3 3495 is extremely slow when accessing context visibility. All other page works fine. Except for when we filtered a identity group endpoint. We tried chrome and firefox. We also downloaded the ...
When our AnyConnect clients connect remotely, they get a 172.a.b.c address from our ASA and register this address with our DNS server, so everything is good... until they get back into the office.... when the client later boots up onto the corporate LAN, ...
We are trying to get our ISE 2.6 to take radius accounting packets (from Aruba Clearpass) and convert them into Identities to then pass off to our FMC and FTD. We are seeing the endpoints show up in ISE and we see all the correct information however ...