An overview to Cisco ISE-PIC

The Cisco ISE Passive Identity Connector aka Cisco ISE-PIC is a software designed to gather authentication data (user-ip mapping) from numerous sources (active directory, Syslog, SPAN, …) and distribute it to its subscribers.

It is a subset of the functionality compared to the Cisco ISE; in fact, ISE-PIC does not authenticate users directly like with 802.1X or web authentication, but only support the passive ID functionality contained in the Identity Services Engine.

In the past, the only method to perform user-ip mapping was “Cisco Firepower User Agent for Active Directory”, but recently Cisco has announced that Firepower Management Center version 6.6 is the last version with which you can enable the user agent. So, from the FMC version 6.7, the only method to map user-ip is using Cisco ISE-PIC or Cisco ISE.

The flow for ISE-PIC is as follows:

  1. Provider performs the authentication of the user or endpoint.
  2. Provider sends authenticated user information to ISE-PIC.
  3. ISE-PIC maps user information to IP addresses and publishes mapped details to pxGrid.
  4. pxGrid subscribers (like FMC) receive the mapped user details.

The Cisco ISE-PIC gui has nine menu:

Home: Dashboard with the main info: subscribers, providers, sessions, agents, …

An-overview-to-Cisco-ISE-PIC-1

Live sessions: User connected to the network: date, username, ip address, …

An-overview-to-Cisco-ISE-PIC-2

Providers: Configure/manage the providers (for instance Active Directory).

An-overview-to-Cisco-ISE-PIC-3

Subscribers: Devices subscribed to Cisco ISE-PIC.

An-overview-to-Cisco-ISE-PIC-4

Note: Cisco ISE-PIC accepts only Cisco subscribers, while Cisco ISE accepts multivendor subscribers.

Certificates: It permits to manage the certificates and the CA. Cisco ISE-PIC uses certificates for internode communication (each node presents its certificate to the other node in order to communicate with each other), and for communicating with pxGrid (ISE-PIC and pxGrid present certificates to each other). Certificates identify a Cisco ISE node to pxGrid and secure the communication between pxGrid and the Cisco ISE node.

An-overview-to-Cisco-ISE-PIC-5

Note: ISE-PIC can act as an external CA for pxGrid, digitally signing pxGrid certificates for the pxGrid subscribers.

Troubleshoot: As the name says, for troubleshooting.

An-overview-to-Cisco-ISE-PIC-6

Reports: Generate and schedule reports.

An-overview-to-Cisco-ISE-PIC-7

Administration: Configure ISE-PIC, loggin, license, admin access, patching and so on.

An-overview-to-Cisco-ISE-PIC-8

Settings: Configure NTP, Alarm, SMTP and other settings.

An-overview-to-Cisco-ISE-PIC-9

Note: The installation of ISE-PIC enables you to easily upgrade to ISE quickly and efficiently. When upgrading from ISE-PIC to the base license for ISE, ISE continues to offer all features that were available to you in ISE-PIC prior to upgrade and you will not need to reconfigure any settings that you had already configured if you use the upgraded ISE-PIC node as your Primary Administration Node (PAN).

References: