ISE Passive ID Preferred Options/Scalability

paul — Fri, 21 Feb 2020 18:32:25 GMT

All,

I wanted to put some of my thoughts down in ISE Passive ID and cofirm what I am thinking as we lay this out for customers. Please let me know if I have anything incorrect or am missing something.

I am listing the Passive ID options in order of how I would prefer to implement them:

Option #1- Agent Installed on Each DC

Advantages

Only requires elevated privilege account to install the agent. i.e. no persistent service account needed.
Removes polling requirements from the PSNs.
No WMI modifications on the DCs. (registry settings, CIMv2 modifications, etc.)

Disadvantages

Requires the installation of a service on the DCs which some customers may not like the idea of.

Scalability and Performance

Can scale up to 100 DCs. In terms of performance, I would think this would be the middle performer of the 3. The workload is offloaded from the PSNs, but I have 1:1 feeds coming into the PSNs from the agents.

Option #2- WMI Queries from the PSNs

Advantages

No services required on the DCs.

Disadvantages

Requires elevated privilege service account. Account in Domain Admins is the simplest, but that won't fly with many customers especially if you ask for a non-expiring password service account.
WMI modifications on the DCs. (registry settings, CIMv2 modifications, etc.)
PSNs have to perform the polling work adding load to the PSNs.

Scalability and Performance

Can scale up to 100 DCs. In terms of performance, I would think this would be the worst performer out of the 3 options as the PSNs have to do all the work.

Option #3- Agent on Member Servers Polling up to 10 DCs Each

Advantages

No services required on the DCs.
Aggregate information at a 10:1 ratio before feeding the data into ISE.

Disadvantages

Requires elevated privilege service account. Account in Domain Admins is the simplest, but that won't fly with many customers especially if you ask for a non-expiring password service account.
WMI modifications on the DCs. (registry settings, CIMv2 modifications, etc.)
Need member servers provisioned for this role at a 10:1 ratio.

Scalability and Performance

Can scale up to 100 DCs. In terms of performance, I would think this is the best performance since it is aggregating the data so the PSNs have less data sources to deal with.

Re: ISE Passive ID Preferred Options/Scalability

Timothy Abbott — Thu, 29 Jun 2017 18:58:39 GMT

Paul,

You wouldn't need to deploy an agent on each DC. The agent can monitor up to 10 controllers whether the agent is installed on the controller or a member server. Since the agent is running on a trusted source, you don't need elevated account privileges. That would only be true for the WMI probe because the server would need to be configured for remote monitoring. Here are all 3 options in order of efficiency:

1: Agent (either member or controller) - up to 100 controllers

2: WMI - up to 100 controllers

3: Kerberos SPAN - Zero touch / point-in-time only / no history

Regards,

-Tim

Re: ISE Passive ID Preferred Options/Scalability

paul — Thu, 29 Jun 2017 19:27:46 GMT

Tim,

All member servers are allowed to automatically WMI poll DCs for security logs? Or how is the member server getting the security logs from the DCs?

In other solutions even when you deploy agents on member servers they need AD credentials to make WMI calls to the DCs.

I am sure I am missing something.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

topic Re: ISE Passive ID Preferred Options/Scalability in Network Access Control

ISE Passive ID Preferred Options/Scalability

Re: ISE Passive ID Preferred Options/Scalability

Re: ISE Passive ID Preferred Options/Scalability