https://community.cisco.com/t5/network-access-control/identity-provider-to-fmc-scaling-question/m-p/3420346#M511734 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I have a Firepower customer looking for identity integration within Firepower management center. We have been exploring the identity integration with pxGrid but the scale is bringing up questions on deployment options.</P><P></P><OL><LI>The customer has around 250(!) domain controllers, which means around 25 AD-Agents. Do we have any examples on this scale ?</LI><LI>Would another option like SPAN or Logs might be a better approach ?<OL><LI>There is an existing Qradar deployment with WMI integration to AD. Can that data be utilized by pxGrid and then fed into FMC ? Just checking, if this has been seen at any other customer.</LI></OL></LI></OL><P>Open to other ideas..</P><P></P><P>Naman</P></BODY></HTML> Thu, 08 Mar 2018 03:25:23 GMT mulatif 2018-03-08T03:25:23Z https://community.cisco.com/t5/network-access-control/identity-provider-to-fmc-scaling-question/m-p/3420346#M511734 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I have a Firepower customer looking for identity integration within Firepower management center. We have been exploring the identity integration with pxGrid but the scale is bringing up questions on deployment options.</P><P></P><OL><LI>The customer has around 250(!) domain controllers, which means around 25 AD-Agents. Do we have any examples on this scale ?</LI><LI>Would another option like SPAN or Logs might be a better approach ?<OL><LI>There is an existing Qradar deployment with WMI integration to AD. Can that data be utilized by pxGrid and then fed into FMC ? Just checking, if this has been seen at any other customer.</LI></OL></LI></OL><P>Open to other ideas..</P><P></P><P>Naman</P></BODY></HTML> Thu, 08 Mar 2018 03:25:23 GMT https://community.cisco.com/t5/network-access-control/identity-provider-to-fmc-scaling-question/m-p/3420346#M511734 mulatif 2018-03-08T03:25:23Z https://community.cisco.com/t5/network-access-control/identity-provider-to-fmc-scaling-question/m-p/3420347#M511735 <HTML><HEAD></HEAD><BODY><P>Max limit per ISE / ISE-PIC instance is 100 DCs today.&nbsp; If require monitoring of more DCs, then deploy multiple ISE/PIC instances.&nbsp; See <A href="https://community.cisco.com/docs/DOC-68347">ISE Performance &amp;amp; Scale</A></P><P></P><P>Remember, it is only needed to get identity for DCs that authenticate users and where need to apply policy based on the users logging into that DC.&nbsp; Although not officially QA tested, we have tested internally the use of log event forwarding which could be used to forward logs from multiple DCs to a single DC for collection. </P><P></P><P>If the Qradar deployment generates logs for each event, then Syslog could be used to parse user/IP mappings.</P><P></P><P>Craig</P></BODY></HTML> Thu, 08 Mar 2018 04:46:15 GMT https://community.cisco.com/t5/network-access-control/identity-provider-to-fmc-scaling-question/m-p/3420347#M511735 Craig Hyps 2018-03-08T04:46:15Z