ISE Easy Connect

 

ISE 2.1 introduced a new feature called Easy Connect where Microsoft Active Directory (AD) logins are used to passively map user information onto existing network sessions initiated with MAC Authentication Bypass (MAB).  This is similar to a Centralized Web Authentication (CWA) or CWA Chaining scenario where ISE combines an active MAB or 802.1X authentication session with the identity obtained from a Web Authentication.  ISE leverages the identity and group memberships from the passive identity (PassiveID) to be used as conditions to assign policy.

 

The benefits of Easy Connect over 802.1X are:

  • No 802.1X supplicant required for user authentication
  • No Public Key Infrastructure (PKI) required for trusted credential transport
  • Can be used as primary user identity or supplement another active identity such as MAB or 802.1X

 

 

Get Started

 

ISE 2.1 What's New: Easy Connect

How to Configure Easy Connect on ISE 2.1

 

 

802.1X vs Easy Connect Comparison

 

802.1XEasy Connect
Requires Microsoft Active DirectoryNoYes, with WMI access allowed from ISE
Identity Stores

ISE Local User Accounts

RADIUS server Proxy

Microsoft Active Directory

LDAP

ODBC

Token server

Microsoft Active Directory
Machine Authentication Methods

Certificates (EAP-TLS, etc.)

Windows Domain Credential

None
User Authentication Methods

Username + Password

One-Time Password (OTP) tokens

Certificates (EAP-TLS, etc.)

Protected Access Credential (PAC)  such as EAP-FAST)

Kerberos User login - not Machine
User Logoff Detection

Yes.

Note: Fast User Switching (FUS) not detected

No - not detected via WMI, but AD login from different user will overwrite Passive Identity for endpoint.

Note: Fast User Switching (FUS) not detected.

Session ExpirationRADIUS Session-Timeout (configurable in ISE authorization policy results)User Session age (configurable in ISE Active Directory settings)
Supported Operating Systems

Windows

MacOS

Linux

Microsoft Windows

MacOS (with Login Option for Network Server)

AgentsNative OS supplicant
Cisco AnyConnect
None (Microsoft Windows OS)
Network Devices

Wired Switches

Wireless controllers

Wired switches

Wireless controllers not QA tested.

NAD Configuration

802.1X

See the ISE Design Guides for best practice switchport configs

MAB or 802.1X (required for ISE to stitch RADIUS session with PassiveID info)

EnforcementVLANs, dACLs, SGTsVLANs, dACLs, SGTs
Identity & Session published to pxGridYesYes
Scale

Depends on the Authentication Method's encryption requirements and round-trips.

See ISE Performance & Scale

TBD

 

 

Enable Easy Connect

 

How to Configure Easy Connect on ISE 2.1

 

To enable Easy Connect in ISE:

Step 1: Navigate to Administration > System > Deployment > (node) > General Settings

Step 2: Enable Passive Identity Service on PSN

Note: It is recommended to enable Easy Connect on two PSN nodes for high availability but no more than two.

Note: Dedicated PSNs are recommended for Easy Connect Passive Identity Mapping

 

Step 3: Navigate to Administration > PassiveID > AD Domain Controllers

Step 4: Select Add and provide the credentials to your Active Directory domain controllers for PassiveID. Alternatively, you may Import a list of AD controllers via a CSV file.

Step 5: You may customize your Passive Identity caching options under Active Directory General Settings.
The User Session Timer is reset when there is a 1) new AD login with the same username or 2) Kerberos ticket renewal

 

 

 

Easy Connect Authorization Policies

 

Here are a few examples of ISE authorization policies using the PassiveID attributes from Easy Connect :

 

 

Resources