Showing results for 
Search instead for 
Did you mean: 

Community Helping Community

ISE Easy Connect




ISE 2.1 introduced a new feature called Easy Connect where Microsoft Active Directory (AD) logins are used to passively map user information onto existing network sessions initiated with MAC Authentication Bypass (MAB).  This is similar to a Centralized Web Authentication (CWA) or CWA Chaining scenario where ISE combines an active MAB or 802.1X authentication session with the identity obtained from a Web Authentication.  ISE leverages the identity and group memberships from the passive identity (PassiveID) to be used as conditions to assign policy.


The benefits of Easy Connect over 802.1X are:

  • No 802.1X supplicant required for user authentication
  • No Public Key Infrastructure (PKI) required for trusted credential transport
  • Can be used as primary user identity or supplement another active identity such as MAB or 802.1X



Get Started


How to Configure Easy Connect on ISE 2.1



802.1X vs Easy Connect Comparison


  802.1X Easy Connect
Requires Microsoft Active Directory No Yes, with WMI access allowed from ISE
Identity Stores

ISE Local User Accounts

RADIUS server Proxy

Microsoft Active Directory



Token server

Microsoft Active Directory
Machine Authentication Methods

Certificates (EAP-TLS, etc.)

Windows Domain Credential

User Authentication Methods

Username + Password

One-Time Password (OTP) tokens

Certificates (EAP-TLS, etc.)

Protected Access Credential (PAC)  such as EAP-FAST)

Kerberos User login - not Machine
User Logoff Detection


Note: Fast User Switching (FUS) not detected

No - not detected via WMI, but AD login from different user will overwrite Passive Identity for endpoint.

Note: Fast User Switching (FUS) not detected.

Session Expiration RADIUS Session-Timeout (configurable in ISE authorization policy results) User Session age (configurable in ISE Active Directory settings)
Supported Operating Systems




Microsoft Windows

MacOS (with Login Option for Network Server)

Agents Native OS supplicant
Cisco AnyConnect
None (Microsoft Windows OS)
Network Devices

Wired Switches

Wireless controllers

Wired switches

Wireless controllers not QA tested.

NAD Configuration


See the ISE Design Guides for best practice switchport configs

MAB or 802.1X (required for ISE to stitch RADIUS session with PassiveID info)

Enforcement VLANs, dACLs, SGTs VLANs, dACLs, SGTs
Identity & Session published to pxGrid Yes Yes

Depends on the Authentication Method's encryption requirements and round-trips.

See ISE Performance & Scale




Enable Easy Connect


How to Configure Easy Connect on ISE 2.1


To enable Easy Connect in ISE:

Step 1: Navigate to Administration > System > Deployment > (node) > General Settings

Step 2: Enable Passive Identity Service on PSN

Note: It is recommended to enable Easy Connect on two PSN nodes for high availability but no more than two.

Note: Dedicated PSNs are recommended for Easy Connect Passive Identity Mapping


Step 3: Navigate to Administration > PassiveID > AD Domain Controllers

Step 4: Select Add and provide the credentials to your Active Directory domain controllers for PassiveID. Alternatively, you may Import a list of AD controllers via a CSV file.

Step 5: You may customize your Passive Identity caching options under Active Directory General Settings.
The User Session Timer is reset when there is a 1) new AD login with the same username or 2) Kerberos ticket renewal




Easy Connect Authorization Policies


Here are a few examples of ISE authorization policies using the PassiveID attributes from Easy Connect :




ISE 2.1 Release

EasyConnect - ISE Made Simple


Hi Thomas,


Thanks for the wonderful article.


May i please check with 2 things :

1. Does Easy Connect Supported on Wireless network also (CISCO AP & WLC).

2. Can Easy Connect & BYOD Solution co-exist on the same ISE box (With Different AUTHE & AUHTO Profile).




CreatePlease to create content
Content for Community-Ad
FusionCharts will render here