ISE 2.1 introduced a new feature called Easy Connect where Microsoft Active Directory (AD) logins are used to passively map user information onto existing network sessions initiated with MAC Authentication Bypass (MAB). This is similar to a Centralized Web Authentication (CWA) or CWA Chaining scenario where ISE combines an active MAB or 802.1X authentication session with the identity obtained from a Web Authentication. ISE leverages the identity and group memberships from the passive identity (PassiveID) to be used as conditions to assign policy.
The benefits of Easy Connect over 802.1X are:
- No 802.1X supplicant required for user authentication
- No Public Key Infrastructure (PKI) required for trusted credential transport
- Can be used as primary user identity or supplement another active identity such as MAB or 802.1X
802.1X vs Easy Connect Comparison
|Requires Microsoft Active Directory||No||Yes, with WMI access allowed from ISE|
ISE Local User Accounts
RADIUS server Proxy
Microsoft Active Directory
|Microsoft Active Directory|
|Machine Authentication Methods|
Certificates (EAP-TLS, etc.)
Windows Domain Credential
|User Authentication Methods|
Username + Password
One-Time Password (OTP) tokens
Certificates (EAP-TLS, etc.)
Protected Access Credential (PAC) such as EAP-FAST)
|Kerberos User login - not Machine|
|User Logoff Detection|
Note: Fast User Switching (FUS) not detected
No - not detected via WMI, but AD login from different user will overwrite Passive Identity for endpoint.
Note: Fast User Switching (FUS) not detected.
|Session Expiration||RADIUS Session-Timeout (configurable in ISE authorization policy results)||User Session age (configurable in ISE Active Directory settings)|
|Supported Operating Systems|
MacOS (with Login Option for Network Server)
|Agents||Native OS supplicant|
|None (Microsoft Windows OS)|
Wireless controllers not QA tested.
See the ISE Design Guides for best practice switchport configs
MAB or 802.1X (required for ISE to stitch RADIUS session with PassiveID info)
|Enforcement||VLANs, dACLs, SGTs||VLANs, dACLs, SGTs|
|Identity & Session published to pxGrid||Yes||Yes|
Depends on the Authentication Method's encryption requirements and round-trips.
Enable Easy Connect
To enable Easy Connect in ISE:
Step 1: Navigate to Administration > System > Deployment > (node) > General Settings
Step 2: Enable Passive Identity Service on PSN
Note: It is recommended to enable Easy Connect on two PSN nodes for high availability but no more than two.
Note: Dedicated PSNs are recommended for Easy Connect Passive Identity Mapping
Step 3: Navigate to Administration > PassiveID > AD Domain Controllers
Step 4: Select Add and provide the credentials to your Active Directory domain controllers for PassiveID. Alternatively, you may Import a list of AD controllers via a CSV file.
Step 5: You may customize your Passive Identity caching options under Active Directory General Settings.
The User Session Timer is reset when there is a 1) new AD login with the same username or 2) Kerberos ticket renewal
Easy Connect Authorization Policies
Here are a few examples of ISE authorization policies using the PassiveID attributes from Easy Connect :