View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0148 - ASA CX Passive Authentication with ISE (Part 1)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video provide a method to enhance reliability of Cisco ASA CX Passive Authentication by integrating Cisco ISE with CDA. You will see how the caveats inherent to CDA can be solved by using realtime user and IP information provided by 802.1x identity-based authentication network. We will analyze RADIUS packets being communicated between Cisco ISE and CDA to try to understand the underlying mechanism. Testing will be performed on both domain and non-domain devices, that have been onboarded through ISE, and this includes both wired and wireless.
Part 1 of this video goes over integration of Cisco ISE and CDA
  • CX Passive Authentication
  • CDA Syslog Client
  • ISE Log Target and Categories
  • 802.1x Wired/Wireless Authentication and RADIUS Accounting
  • Windows 7 Domain and Non-Domain Computer, and iPhone
  • Wireshark Packet Analysis
  • Roaming Uers

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new technologies.


The video on CX/ISE/CDA is very informative. However, does that mean Sponsored Guest will not work as according to the video, authentication is via ISE to AD, and a Sponsored Guest account doesn't require an AD Store.

If Sponsored Guest or Self-registration is possible, does that mean that csxc auth-proxy has to disabled or removed so that the CX doesn't intercept or interrupt the web redirect destined for ISE?

As SXP is supported in ASA CX, I if wonder this would be a better way to integrate with ISE for Sponsored Guests.

Since sponsored guest user are logcal to ISE, even if you can get CDA to pick up user-IP mapping from ISE syslog, how would you structure your access policies on CX to allow user access since you have no AD user info to reference to.

CX auth-proxy should not ave anything to do with ISE guest portal as they are two separate process. Use would first be redirected to ISE portal by redirect URL on switch or WLC and once authenticated, only when user traffic passes through CX, they will encounter CX auth-proxy.

We are not aware of Trustsec being supported on CX but if it is, you can assign SGT to your guest user and allow access on CX based on those SGT.

Thanks very much for the response. Once the Guest is authenticated by ISE and traffic is permitted to the Internet, shouldn't a Modular Policy Framework policy on the ASA not be enough to redirect the Internet bound traffic to the CX module without having CX auth-proxy enabled?

I would expect that since it's Guest, one should not bother with CX auth-proxy for authentication, except the CX is used for both Guest and Corporate filtering.

Redirecting traffic to CX and CX auth-proxy are two separate processes. In fact, traffic needs to be sent to CX before CX can intercept and enforce auth-proxy. 

You are right that using auth-proxy for guest is uncommon. Usually you would uses passive/active auth to identify employees and anyone elase can be assumed as guest.