3. ISE 2.3: Passive Identity (Easy Connect)
Рет қаралды 18,230
Күн бұрынEasy Connect enables you to easily connect users from a wired endpoint to a network in a secure manner and monitor those users by authenticating them through an Active Directory Domain Controller and not by Cisco ISE. With Easy Connect, ISE collects user authentication information from the Active Directory Domain Controller. Because Easy Connect connects to a Windows system (Active Directory) using the MS WMI interface and queries logs from the Windows event messaging, it currently only supports Windows-installed endpoints. Easy Connect supports wired connections using MAB, which is much easier to configure than 802.1X. Unlike 802.1X, with Easy Connect and MAB:
- You don't need to configure supplicants
- You don't need to configure PKI
- ISE issues a CoA after the external server (AD) authenticates the user
@rcamacho100 5 жыл бұрын
Really good tutorial, clear and simple.
@jasonmaynard8773 5 жыл бұрын
Thanks for the feedback!
@SaregamapavanN 3 жыл бұрын
Nice config and guidance on passive I’d thank you
@jasonmaynard8773 3 жыл бұрын
Glad to help!
@zhimwar1367 6 жыл бұрын
Hi Jason, really appreciate your demo, it is very helpful. Just one question, if I send CoA reauth to a active ezconnect user, does this user need to relogin OS to regain network access?
@jasonmaynard8773 6 жыл бұрын
When sending a CoA, this will cause a new MAB to be re-initiated for the endpoint that will be authorized automatically as before. So if a permit ip any any is applied by default then the access will not change. Then, the Ezconnect will map out the AD group of the user again which will re-authorize and apply the new ACL. So bottom line the user will not have to re-login ISE will just re-use the same domain logon information to map it.
@Mat-mn7hf 7 жыл бұрын
Hi Jason! Thanks for make demos of ISE. Is it a best practice deploy dot1x and passive identity at same time?
@jasonmaynard8773 7 жыл бұрын
Depends on the goals and level of authentication required as opposed to a best practice. EasyConnect provides port-based authentication similar to 802.1X, but easier to implement. It is really about the use case. I find many considering Easy Connect are doing so for the simple fact as they do not want to touch the endpoint and deal with supplicants.
@DineshGaikwad 5 жыл бұрын
This is a very nice video. Thank you! Could you direct me to any documentation to configure the VMs and push policies from ISE the way you did?
@jasonmaynard8773 5 жыл бұрын
Thanks Dinesh! I do not have documentation that calls this out. On the ESXi side I have nics tied to the VMx to test this - you can also leverage multt-host. I show this around 16:53 - i connect to the switch and show the outcome.
@nareshnikhade127 4 жыл бұрын
Nice
@jasonmaynard8773 4 жыл бұрын
Thanks
@MARIO-fo9yy 6 жыл бұрын
Hi Jason! What does AD need to config? Because when i config with WMI, it will have error for access denied, Thank you!
@jasonmaynard8773 6 жыл бұрын
Have a look at the following documents - www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_011.html
@stephannysantiago6732 6 жыл бұрын
this means with Easy connect any machine can connect to the network as long as you authenticate with a domain user? if yes, BYOD is no supported right? Are you able to see devices status? as connected/disconnected or only the logs when they logged in?
@jasonmaynard8773 6 жыл бұрын
Missed this one. Have a look at the following for additional details. www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200559-Configure-EasyConnect-on-ISE-2-1.html#anc2 EasyConnect cannot be used with BYOD use case. Check the link above for more details but you can see the session status :)
@kool1311 6 жыл бұрын
Can I used passive ID for Machine Authen such as Domain Computer?
@jasonmaynard8773 6 жыл бұрын
When using Easy Connect only user authentication is supported. Details found here: www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_CDD87F6FE3A54351B27FF35316A23DA3 Additional Insight into Passive Identity - www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_00.html
@TheJaciro 5 жыл бұрын
Hello Jason, Right now I configure an FTD with ISE to replace the user agent to authenticate the users of my network but is not working. To authenticate my users via ISE is needed to configure the passive ID? Thanks bro
@jasonmaynard8773 5 жыл бұрын
Hi ShadowPanter D - Have a look at the following www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/control_users_with_ise_ise_pic.pdf Let us know if this helps. If you still have issues please reach out to TAC and update the thread for others. If I have time I will try and add this video. (on the list ;) )
@TheJaciro 5 жыл бұрын
@@jasonmaynard8773 OMG three different engineers of Cisco TAC said me we need to use the Passive ID. Thanks for this information Jason, but now I need to see how to implement the ISE PIC for passive authentication for Firepower jajaja THAKS BRO YOU ARE AWESOME!
@jasonmaynard8773 5 жыл бұрын
Cheers ShadowPanter D! I will see about creating this lab and get it posted but may not get to it for a bit. Your best bet is to follow the guide www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/control_users_with_ise_ise_pic.pdf Also, if you proceed and it is working please update the thread to let us know. If I do the video I will come back to post it here as well.
@michaeliredale4545 4 жыл бұрын
"We'll save that oot"
@jasonmaynard8773 4 жыл бұрын
:)
@jasonmaynard8773 6 жыл бұрын
I accidentally deleted a question from ostinlt12 - Question: One of the main challenges in large environment is getting the AD folks to buy into giving domain admin credentials to ISE for WMI.: Can WMI be done with a service account with domain admin permissions Answer: you can leverage a restrictive service account - check out the following - www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html?bookSearch=true#reference_8DC463597A644A5C9CF5D582B77BB24F Sorry ostinly12 for deleting you question :/
Dmitry Kazakov
Рет қаралды 2,1 М.
SmashCrush! Arabic
Рет қаралды 39 МЛН
SmashCrush! Arabic
Рет қаралды 39 МЛН