Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
2
Helpful
2
Replies

ISE Passive Identity Connector - Authentication Supported by Agent

Go to solution
fabiofunaki
Level 1
Level 1

‎10-16-2023 09:07 AM

Hello!

 

I'm trying to find out which kind of authentication is supported by ISE PIC Agent Provider.

What is my problem:

* When a user logs in to PC with an AD account, ISE PIC does the user to IP address mapping; Works with wired and wireless access;

* When an authenticated user, moves from wired to wireless, the ISE PIC does not recognize the IP address;

  * The WLAN is based on a third-party solution, but it does authenticate with the AD, but using RADIUS (802.1x).

Do you know if RADIUS auth is supported by ISE PIC Agent Provider? From my observations, looks like the ISE PIC Agent provider just works when the user authenticates on Windows Logon.

 

Regards,

 

Fabio

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-16-2023 02:19 PM

The Passive ID agent works by monitoring the logon events on the domain controller and capturing the user/IP mappings seen by the DC.

A transition between wired and wireless does not trigger a logon event, therefore neither the DC nor ISE-PIC will know about it. For wireless, you would be better off actively authenticating the endpoints via 802.1x using the full version of ISE.

View solution in original post

2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-16-2023 02:19 PM

The Passive ID agent works by monitoring the logon events on the domain controller and capturing the user/IP mappings seen by the DC.

A transition between wired and wireless does not trigger a logon event, therefore neither the DC nor ISE-PIC will know about it. For wireless, you would be better off actively authenticating the endpoints via 802.1x using the full version of ISE.

Go to solution
fabiofunaki
Level 1
Level 1

‎10-17-2023 04:27 AM

Greg, thank you! 

It's just the information that I need. You helped me a lot.

On the Windows Server, I can see the logs from both logon and RADIUS, but I was not sure if the agent was verifying the RADIUS ones.

I thought about using the SYSLOG provider, but as the switches do not have 802.1x implemented, I think that I'll have the same issue when I roam from wireless to wired, as I don't have a log from the switch to indicate the change.

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents