Thanks Dinesh! I do not have documentation that calls this out. On the ESXi side I have nics tied to the VMx to test this - you can also leverage multt-host. I show this around 16:53 - i connect to the switch and show the outcome.
Hi Jason, really appreciate your demo, it is very helpful. Just one question, if I send CoA reauth to a active ezconnect user, does this user need to relogin OS to regain network access?
When sending a CoA, this will cause a new MAB to be re-initiated for the endpoint that will be authorized automatically as before. So if a permit ip any any is applied by default then the access will not change. Then, the Ezconnect will map out the AD group of the user again which will re-authorize and apply the new ACL. So bottom line the user will not have to re-login ISE will just re-use the same domain logon information to map it.
Depends on the goals and level of authentication required as opposed to a best practice. EasyConnect provides port-based authentication similar to 802.1X, but easier to implement. It is really about the use case. I find many considering Easy Connect are doing so for the simple fact as they do not want to touch the endpoint and deal with supplicants.
this means with Easy connect any machine can connect to the network as long as you authenticate with a domain user? if yes, BYOD is no supported right? Are you able to see devices status? as connected/disconnected or only the logs when they logged in?
Missed this one. Have a look at the following for additional details. www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200559-Configure-EasyConnect-on-ISE-2-1.html#anc2 EasyConnect cannot be used with BYOD use case. Check the link above for more details but you can see the session status :)
Hello Jason, Right now I configure an FTD with ISE to replace the user agent to authenticate the users of my network but is not working. To authenticate my users via ISE is needed to configure the passive ID? Thanks bro
Hi ShadowPanter D - Have a look at the following www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/control_users_with_ise_ise_pic.pdf Let us know if this helps. If you still have issues please reach out to TAC and update the thread for others. If I have time I will try and add this video. (on the list ;) )
@@jasonmaynard8773 OMG three different engineers of Cisco TAC said me we need to use the Passive ID. Thanks for this information Jason, but now I need to see how to implement the ISE PIC for passive authentication for Firepower jajaja THAKS BRO YOU ARE AWESOME!
Cheers ShadowPanter D! I will see about creating this lab and get it posted but may not get to it for a bit. Your best bet is to follow the guide www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/control_users_with_ise_ise_pic.pdf Also, if you proceed and it is working please update the thread to let us know. If I do the video I will come back to post it here as well.
When using Easy Connect only user authentication is supported. Details found here: www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_CDD87F6FE3A54351B27FF35316A23DA3 Additional Insight into Passive Identity - www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_00.html
I accidentally deleted a question from ostinlt12 - Question: One of the main challenges in large environment is getting the AD folks to buy into giving domain admin credentials to ISE for WMI.: Can WMI be done with a service account with domain admin permissions Answer: you can leverage a restrictive service account - check out the following - www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html?bookSearch=true#reference_8DC463597A644A5C9CF5D582B77BB24F Sorry ostinly12 for deleting you question :/
Really good tutorial, clear and simple.
Thanks for the feedback!
Nice config and guidance on passive I’d thank you
Glad to help!
Nice
Thanks
This is a very nice video. Thank you!
Could you direct me to any documentation to configure the VMs and push policies from ISE the way you did?
Thanks Dinesh! I do not have documentation that calls this out. On the ESXi side I have nics tied to the VMx to test this - you can also leverage multt-host. I show this around 16:53 - i connect to the switch and show the outcome.
Hi Jason, really appreciate your demo, it is very helpful. Just one question, if I send CoA reauth to a active ezconnect user, does this user need to relogin OS to regain network access?
When sending a CoA, this will cause a new MAB to be re-initiated for the endpoint that will be authorized automatically as before. So if a permit ip any any is applied by default then the access will not change.
Then, the Ezconnect will map out the AD group of the user again which will re-authorize and apply the new ACL. So bottom line the user will not have to re-login ISE will just re-use the same domain logon information to map it.
Hi Jason! Thanks for make demos of ISE. Is it a best practice deploy dot1x and passive identity at same time?
Depends on the goals and level of authentication required as opposed to a best practice. EasyConnect provides port-based authentication similar to 802.1X, but easier to implement. It is really about the use case. I find many considering Easy Connect are doing so for the simple fact as they do not want to touch the endpoint and deal with supplicants.
this means with Easy connect any machine can connect to the network as long as you authenticate with a domain user? if yes, BYOD is no supported right?
Are you able to see devices status? as connected/disconnected or only the logs when they logged in?
Missed this one. Have a look at the following for additional details. www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200559-Configure-EasyConnect-on-ISE-2-1.html#anc2
EasyConnect cannot be used with BYOD use case.
Check the link above for more details but you can see the session status :)
Hello Jason,
Right now I configure an FTD with ISE to replace the user agent to authenticate the users of my network but is not working.
To authenticate my users via ISE is needed to configure the passive ID?
Thanks bro
Hi ShadowPanter D - Have a look at the following www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/control_users_with_ise_ise_pic.pdf
Let us know if this helps. If you still have issues please reach out to TAC and update the thread for others.
If I have time I will try and add this video. (on the list ;) )
@@jasonmaynard8773 OMG three different engineers of Cisco TAC said me we need to use the Passive ID.
Thanks for this information Jason, but now I need to see how to implement the ISE PIC for passive authentication for Firepower jajaja THAKS BRO YOU ARE AWESOME!
Cheers ShadowPanter D! I will see about creating this lab and get it posted but may not get to it for a bit. Your best bet is to follow the guide www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/control_users_with_ise_ise_pic.pdf
Also, if you proceed and it is working please update the thread to let us know. If I do the video I will come back to post it here as well.
Can I used passive ID for Machine Authen such as Domain Computer?
When using Easy Connect only user authentication is supported. Details found here: www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_CDD87F6FE3A54351B27FF35316A23DA3
Additional Insight into Passive Identity - www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_00.html
Hi Jason! What does AD need to config? Because when i config with WMI, it will have error for access denied, Thank you!
Have a look at the following documents - www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_011.html
"We'll save that oot"
:)
I accidentally deleted a question from ostinlt12 - Question: One of the main challenges in large environment is getting the AD folks to buy into giving domain admin credentials to ISE for WMI.: Can WMI be done with a service account with domain admin permissions
Answer: you can leverage a restrictive service account - check out the following - www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html?bookSearch=true#reference_8DC463597A644A5C9CF5D582B77BB24F
Sorry ostinly12 for deleting you question :/