https://community.cisco.com/t5/network-access-control/ise-pic-not-seeing-windows-logon-events/m-p/4549883#M572727 <P>While you've listed the codes (and are mostly correct), it is actually an issue with the Audit Policy not being fully set.&nbsp; This is something that isn't covered (at all) in the ISE/PIC documentation.</P><P>&nbsp;</P><P>Check out the very well crafted answer over here:<BR /><A href="https://community.cisco.com/t5/network-access-control/ise-passiveid-and-wmi-pulling/m-p/3928476/highlight/true#M457053" target="_blank">https://community.cisco.com/t5/network-access-control/ise-passiveid-and-wmi-pulling/m-p/3928476/highlight/true#M457053</A></P><P>&nbsp;</P> Thu, 10 Feb 2022 20:25:11 GMT purchasing 2022-02-10T20:25:11Z https://community.cisco.com/t5/network-access-control/ise-pic-not-seeing-windows-logon-events/m-p/4318754#M566593 <P>I'm trying to setup ISE-PIC 2.7 to replace the older Firepower User Agent software.&nbsp; I've followed the how-to install, and the PassiveID setup wizard.&nbsp; On the Providers pane I see my DCs all listed with an "UP" status (green check mark).&nbsp; But I've only ever gotten a single session showing in ISE.</P><P>&nbsp;</P><P>If I look at the event viewer on any of the DCs then I see <EM><STRONG>LOTS</STRONG> </EM>of 4624 "Logon" events that correspond to granted kerberos tickets.&nbsp; So I know the event auditing is working properly, it just doesn't seem that ISE is reading these events.&nbsp; (Again, I saw a single session pop-up once, so it isn't that ISE is unable to talk to the DCs -- it feels like a filter criteria issue to me)</P><P>&nbsp;</P><P>I did notice that the verbose logging for the Agents (currently not using the Agents, but did try at one point to see if they had a different result) seemed to imply that they were watching for 4768 &amp; 4770 events.&nbsp; While I'd include those in my "what to watch for list", I wouldn't make it exclusively those two events (I normally use&nbsp;4624, 4768, 4769, and 4770 when looking for auths -- especially since I see all the 4624 logon events).&nbsp; Does anyone which event IDs ISE-PIC is looking for (and which channels it is looking for them in)?</P><P>&nbsp;</P><P>Has anyone else had an issue where ISE-PIC just wasn't seeing active sessions (and if you have, can you give pointers on what your fix[es] were)?</P><P>&nbsp;</P><P>I'm currently running ISE-PIC 2.7 with the Active Directory providers in WMI mode.&nbsp; I've tried both 2.7 &amp; 3.0, and both of them with AD in WMI &amp; Agent modes.&nbsp; The setup is always smooth, and I can get my subscribers connected -- I just don't have a good session directory because ISE doesn't seem to see the active sessions on the DCs.&nbsp; I see walkthroughs all over the place talking about how easy it is, and I'm sure that's normally true.&nbsp; But I'm starting to have trouble with the old Firepower User Agent and would love to get this tested so I can justify getting the licenses in place and then get rid of the old agent.</P> Mon, 05 Apr 2021 15:29:19 GMT https://community.cisco.com/t5/network-access-control/ise-pic-not-seeing-windows-logon-events/m-p/4318754#M566593 Russell Rockett 2021-04-05T15:29:19Z https://community.cisco.com/t5/network-access-control/ise-pic-not-seeing-windows-logon-events/m-p/4549883#M572727 <P>While you've listed the codes (and are mostly correct), it is actually an issue with the Audit Policy not being fully set.&nbsp; This is something that isn't covered (at all) in the ISE/PIC documentation.</P><P>&nbsp;</P><P>Check out the very well crafted answer over here:<BR /><A href="https://community.cisco.com/t5/network-access-control/ise-passiveid-and-wmi-pulling/m-p/3928476/highlight/true#M457053" target="_blank">https://community.cisco.com/t5/network-access-control/ise-passiveid-and-wmi-pulling/m-p/3928476/highlight/true#M457053</A></P><P>&nbsp;</P> Thu, 10 Feb 2022 20:25:11 GMT https://community.cisco.com/t5/network-access-control/ise-pic-not-seeing-windows-logon-events/m-p/4549883#M572727 purchasing 2022-02-10T20:25:11Z