Easy Connect enables you to easily connect users from a wired endpoint to a network in a secure manner and monitor those users by authenticating them through an Active Directory Domain Controller and not by Cisco ISE. With Easy Connect, ISE collects user authentication information from the Active Directory Domain Controller. Because Easy Connect connects to a Windows system (Active Directory) using the MS WMI interface and queries logs from the Windows event messaging, it currently only supports Windows-installed endpoints. Easy Connect supports wired connections using MAB, which is much easier to configure than 802.1X. Unlike 802.1X, with Easy Connect and MAB:
You don't need to configure supplicants
You don't need to configure PKI
ISE issues a CoA after the external server (AD) authenticates the user
Easy Connect supports these modes of operation:
Enforcement-mode— ISE actively downloads the authorization policy to the network device for enforcement based on the user credentials.
Visibility-mode—ISE publishes session merge and accounting information received from the NAD device sensor in order to send that information to pxGrid.
In both cases, users authenticated with Active
Directory (AD) are shown in the Cisco ISE live sessions view, and can be queried from
the session directory using Cisco pxGrid interface by third-party applications. The
known information is the user name, IP address, the AD DC host name and the AD DC
NetBios name. For more information about pxGrid, see pxGrid Node.
Once you have set up Easy Connect, you can then filter certain users, based on their name or IP address. For example, if you have an administrator from IT services who logs in to an endpoint in order to assist the regular user with that endpoint, you can filter out the administrator activity so it does not appear in Live Sessions, but rather only the regular user of that endpoint will appear. To filter passive identity services, see Filter Passive Identity Services.
Easy Connect Restrictions
MAC Authentication Bypass (MAB) supports
Easy Connect. Both MAB and 802.1X can be configured on the same port, but
you must have a different ISE policy for each service.
Only MAB connections are currently supported. You do not need a unique authentication policy for connections, because the connection is authorized and permissions are granted by an Easy Connect condition defined in the authorization policy.
Easy Connect is supported in High
Availability mode. Multiple nodes can be defined and enabled with a Passive
ID. ISE then automatically activates one PSN, while the other nodes remain
Network Access Devices (NADs) are supported.
IPv6 is not
Wireless connections are not currently supported.
Only Kerberos auth events are tracked and therefore Easy Connect enables only user authentication and does not support machine authentication.
Easy Connect requires configuration in ISE, while the Active Directory Domain server must also have the correct patches and configuration based on instructions and guidelines issued by Microsoft. For information about configuring the Active Directory domain controller for ISE, see Active Directory Requirements to Support Easy Connect and Passive Identity services
Easy Connect Enforcement Mode
Easy Connect enables users to log on to a
secure network from a wired endpoint (usually a PC) with a Windows operating system,
by using MAC address bypass (MAB) protocol, and accessing Active Directory (AD) for
authentication. ISE Easy Connect listens for a Windows Management Instrumentation
(WMI) event from the Active Directory server for information about authenticated
users. Once AD authenticates a user, the Domain Controller generates an event log
that includes the user name and IP address allocated for the user. ISE receives
notification of log in from AD, and then issues a RADIUS Change of Authorization
MAC address lookup is not done for a MAB request when the Radius service-type is set to call-check. Therefore the return to the request is access-accept. This is the ISE default configuration.
Easy Connect Enforcement Mode Process
The Easy Connect Enforcement mode process is
Figure 7. Easy Connect Enforcement Mode Basic Flow
The user connects to the NAD from a
wired endpoint (such as a PC for example).
The NAD (which is configured for MAB)
sends an access request to ISE. ISE responds with access, based on user
configuration, allowing the user to access AD. Configuration must allow at
least access to DNS, DHCP and AD.
The user logs in to the domain and a
security audit event is sent to ISE.
ISE collects the MAC address from RADIUS
and the IP address and domain name, as well as accounting information (login
information) about the user, from the security audit event.
Once all data is collected and merged in the ISE session directory, ISE issues a CoA to the NAD (based on the appropriate policy managed in the policy service node (PSN)), and the user is provided access by the NAD to the network based on that policy.
This Image 413455.jpg is not available in preview/cisco.com
Figure 8. Easy Connect Enforcement Mode Detailed Flow
This Image 413456.jpg is not available in preview/cisco.com
For more information about configuring Enforcement mode, see Configure Easy Connect Enforcement-Mode.
Easy Connect Visibility Mode
With the Visibility mode, ISE only monitors
accounting information from RADIUS (part of the device sensor feature in the NAD)
and does not perform authorization. Easy Connect listens for RADIUS Accounting and
WMI events, and publishes that information to logs and reports, (and optionally, to
pxGrid). Both RADIUS accounting start and session termination are published to
pxGrid during user login using Active Directory when pxGrid is setup.
Figure 9. Easy Connect Visibility Mode Flow
This Image 413462.jpg is not available in preview/cisco.com
For more information about configuring Easy Connect Visibility mode, see Configure Easy Connect Visibility-Mode .