topic Re: ISE PassiveID and WMI pulling in Network Access Control

ISE PassiveID and WMI pulling

vfranjic — Wed, 18 Sep 2019 16:17:11 GMT

Hi team,

we have project for both StealthWatch and ISE. Plan is to configure ISE 2.4 patch 9 to pull events through WMI from Windows Server 2016 to ISE and share it with Stealthwatch. We have problems with ISE collecting events from AD. We used Domain admin account and event went through manual configuration of WMI on DC providing all needed rights and created registry keys. There is no L3/L4 obsticle.

1. Connection to DC is green in PassiveID dashboard and test WMI is ok, it gets right Domain name, etc

2. WMI DC is configured automatically and manually we checked all permisions and created Registry keys for Account that ISE uses when contacting DC

3. No sessions are collected from DC

4. We set DEBUG level for PassiveID and we get below:

2019-09-18 16:11:04,202 DEBUG [Thread-82275][] com.cisco.idc.dc-probe- DCOM timeout reached on DC. Identity Mapping.NTLMv2 = true , Identity Mapping.dc-domainname = XXXXXX , Identity Mapping.probe = WMI , Identity Mapping.dc-windows-version = Win2016 , Identity Mapping.dc-username = XXXXX , Identity Mapping.dc-name = XXXXXXX , Identity Mapping.dc-host = XXXXXXX/10.239.5.20

5. On Windows side we have Event log error with ID 5858 for WMI Activity with ResultCode: 0x80041032

Can someone provide help? Also we did this with two ISEs but problem remains same.

Does anybody know which Security logon event ID ISE PassiveID requests from DC: 4768 or 4624, because user has no 4768 events and if we look into WMI error we see ISE requesting 4768 event ID from DC.

Tnx in advance.

Regards,

Vedran.

Re: ISE PassiveID and WMI pulling

howon — Mon, 23 Sep 2019 11:35:46 GMT

I suggest opening a TAC SR to root cause the issue.

Re: ISE PassiveID and WMI pulling

vfranjic — Mon, 23 Sep 2019 11:44:04 GMT

Hi, solved the problem with customer.

ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID

Procedure:

https://www.manageengine.com/products/active-directory-audit/help/getting-started/domain-controllers-advanced-audit-policy.html

Microsoft about Kerberos Audit Service:

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service

Regards,

Vedran.

Re: ISE PassiveID and WMI pulling

marinogr — Wed, 18 Nov 2020 13:59:52 GMT

WMI configuration from ISE to DC does not enable Kerberos Audit authentication service and it should be enabled by yourself because it is turned off by default. Very frustrating because no ISE PIC documentation mention this configuration and every test on ISE is OK but no passive authentication is coming on ISE.