https://community.cisco.com/t5/network-access-control/span-session-for-every-authenticating-domain-controller/m-p/3501120#M557568 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 11.0pt;">With Kerberos SPAN, wouldn’t we have to have a SPAN session for every authenticating domain controller in the environment?&nbsp; Since there can only be two ISE-PIC nodes, that seems to eliminate that option (if my assumption’s correct).</SPAN></P><P></P><P><SPAN style="font-size: 11.0pt;">Also, if we were to stand up a member server with the agent on it, does it need to be set up as an Event Log Collector and all the domain controllers configured with Event Log Forwarding to the member server?</SPAN></P><P></P><P><SPAN style="font-size: 11.0pt;">Thank you,</SPAN></P><P><SPAN style="font-size: 11.0pt;">Brian Crocker&nbsp; <A href="https://community.cisco.com//u1/340627" target="_blank">bricrock</A><BR /></SPAN></P></BODY></HTML> Fri, 21 Feb 2020 18:31:52 GMT benugent 2020-02-21T18:31:52Z https://community.cisco.com/t5/network-access-control/span-session-for-every-authenticating-domain-controller/m-p/3501120#M557568 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 11.0pt;">With Kerberos SPAN, wouldn’t we have to have a SPAN session for every authenticating domain controller in the environment?&nbsp; Since there can only be two ISE-PIC nodes, that seems to eliminate that option (if my assumption’s correct).</SPAN></P><P></P><P><SPAN style="font-size: 11.0pt;">Also, if we were to stand up a member server with the agent on it, does it need to be set up as an Event Log Collector and all the domain controllers configured with Event Log Forwarding to the member server?</SPAN></P><P></P><P><SPAN style="font-size: 11.0pt;">Thank you,</SPAN></P><P><SPAN style="font-size: 11.0pt;">Brian Crocker&nbsp; <A href="https://community.cisco.com//u1/340627" target="_blank">bricrock</A><BR /></SPAN></P></BODY></HTML> Fri, 21 Feb 2020 18:31:52 GMT https://community.cisco.com/t5/network-access-control/span-session-for-every-authenticating-domain-controller/m-p/3501120#M557568 benugent 2020-02-21T18:31:52Z https://community.cisco.com/t5/network-access-control/span-session-for-every-authenticating-domain-controller/m-p/3501121#M557588 <HTML><HEAD></HEAD><BODY><P>Brian,</P><P></P><P>You are correct that log forwarding would have to be setup to send logon messages to the member server running the agent.&nbsp; You can do this with group policy.&nbsp; <A href="https://blogs.technet.microsoft.com/wincat/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows/">Here</A> is an article on how to do it.</P><P></P><P>PIC Kerberos SPAN is looking for specific events and I'm pretty sure that is regardless of authenticating domain controller.&nbsp; The only requisites you need to enable Kerberos SPAN is to ensure the PassiveID service is running (which is by default in PIC) and to select the interface you are going to use to monitor for logon events.&nbsp; If we need to discuss further, we can set up a meeting.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Mon, 13 Feb 2017 15:08:02 GMT https://community.cisco.com/t5/network-access-control/span-session-for-every-authenticating-domain-controller/m-p/3501121#M557588 Timothy Abbott 2017-02-13T15:08:02Z