02-28-2018 01:52 PM - edited 02-21-2020 10:46 AM
Hi,
I have a customer running WIRELESS dot1x with ISE 2.2p6 with WSA integration. On the WIRED side, they use CDA+WSA.
Trying to see if we can use the PIC feature set on a fully functional ISE deployment (not ISE PIC) without deploying wired dot1x. This way we can use WMI to authenticate wired users passively and use Pxgrid to pass the info to WSA.
Where is a guide on this?
Solved! Go to Solution.
03-01-2018 07:08 AM
I imagine you are assigning a SGT to wireless users and then sharing that information with WSA over pxGrid because that is the only pxGrid topic the WSA pxGrid client currently looks for. Unfortunately, the only option to get the same result on the wired side is to deploy wired 802.1X an assign a SGT. This is because ISE and ISE-PIC (both use the same PassiveID features) currently do not have the CDA RADIUS interface that the WSA needs to get the user to IP mapping for identity.
Regards,
-Tim
03-01-2018 07:08 AM
I imagine you are assigning a SGT to wireless users and then sharing that information with WSA over pxGrid because that is the only pxGrid topic the WSA pxGrid client currently looks for. Unfortunately, the only option to get the same result on the wired side is to deploy wired 802.1X an assign a SGT. This is because ISE and ISE-PIC (both use the same PassiveID features) currently do not have the CDA RADIUS interface that the WSA needs to get the user to IP mapping for identity.
Regards,
-Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide