topic Cisco ISE PIC 3.4 RPC connect to domain controller failed in Network Access Control

Cisco ISE PIC 3.4 RPC connect to domain controller failed

faruk.zaimovic — Wed, 23 Oct 2024 10:10:32 GMT

Hello,

i have installed Cisco ISE PIC 3.4 version and use RPC agent as connection with AD. Made integration with FMC and create rule to filter URL per user. I have noticed that FMC don't get information when user log off and FMC alone in some time make logoff user, then tomorrow when i make login in PC, ISE PIC and FMC don't get that info, when i found live session my IP and manually run check current user i get info in FMC that user is login then URL filtering continue working.

what i noticed in log .

RPC connect to domain controller failed

Does anybody have same problem, please share.

Re: Cisco ISE PIC 3.4 RPC connect to domain controller failed

Aref Alsouqi — Wed, 23 Oct 2024 10:33:35 GMT

Did you check if the agent is running as expected on the DC?

Configure EVT-Based Identity Services Engine Passive ID Agent - Cisco

Re: Cisco ISE PIC 3.4 RPC connect to domain controller failed

faruk.zaimovic — Wed, 23 Oct 2024 10:59:31 GMT

Hello,

Thank you very much for answer.

Agent are correct installed and in running mode. I have primary and secondary agent same as u send link for Passive ID Agent, When I made run test to AD i got strange messages. Picture below. Could not obtain TGT..... i dont know how to set it in AD,

Re: Cisco ISE PIC 3.4 RPC connect to domain controller failed

Aref Alsouqi — Wed, 23 Oct 2024 11:36:59 GMT

To me it looks like an issue with kerberos on the AD. Do you see any interesting logs on the AD related to ISE diagnostics?

Re: Cisco ISE PIC 3.4 RPC connect to domain controller failed

faruk.zaimovic — Fri, 25 Oct 2024 05:56:55 GMT

Hello,

Thank you very much for your response.

I have same opinion that problem is in AD, I just check that problem is not connected for ISE PIC.

It works if i have that problem, I can see users in my FMC over PxGrid normaly, but what I noticed that ISE PIC agent over PxGrid send all users from AD to FMC. Does anybody do it, in User activity I can see all users from AD, If i do passive authetication only for one AD group. Is there any way to limit users . I treid it over REALM authetication and limit that group, but it is works only when I create policy which group and which users I can see and add in rule.

Thank you very much for help.

Re: Cisco ISE PIC 3.4 RPC connect to domain controller failed

Aref Alsouqi — Fri, 25 Oct 2024 08:36:13 GMT

When you say tried to limit the groups was that from the Realm config under the "User Download > Groups to include" page?

Re: Cisco ISE PIC 3.4 RPC connect to domain controller failed

faruk.zaimovic — Sat, 26 Oct 2024 05:45:30 GMT

Aref,

Yes, in user activity I can see all users from AD, i would like to see only users from one AD groupe, in that user i would apply passive atuhetication. I dont know it is possible. I could not find any options.

Aref as u said, in Realm options for dowload users a only type one AD group, and again i can see all users from AD in user activity.

Re: Cisco ISE PIC 3.4 RPC connect to domain controller failed

Aref Alsouqi — Mon, 28 Oct 2024 16:40:26 GMT

I got the feeling that what you see is expected. Maybe @Marvin Rhoads can help on this.

Re: Cisco ISE PIC 3.4 RPC connect to domain controller failed

Marvin Rhoads — Tue, 29 Oct 2024 18:20:38 GMT

@faruk.zaimovic I don't believe that is possible.

The only filtering we can do is to limit via a network filter in the FMC ISE integration. Such a filter causes ISE to report data from the networks within that filter. No such option for AD user or groups is currently available.