https://community.cisco.com/t5/network-security/ise-pic-to-passive-identity-agent-migration/m-p/5323252#M1122348 <P>We currently use ISE-PIC as our identity source for identity based policies in our FMC. According to the following EOL notice, ISE-PIC support will end November 30, 2027.&nbsp;&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/products/collateral/security/ise-passive-identity-connector/ise-pic-eol.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/products/collateral/security/ise-passive-identity-connector/ise-pic-eol.html</A></P><P>Migration options are to upgrade to ISE Advantage or migrate to Passive Identity Agent which was introduced in 7.6 software versions.&nbsp; I'm leaning more towards the Passive Identity Agent, but curious if anyone has gone through this migration yet and what their experience is.&nbsp; We've had no issues with our ISE-PIC as our identity source and our identity rules have worked very well.&nbsp; I just wanted to see if anyone in the community is using the Passive Identity Agent and if it works well for your identity rules.</P><P>Thank you.</P> Fri, 22 Aug 2025 12:46:52 GMT jmeetze 2025-08-22T12:46:52Z https://community.cisco.com/t5/network-security/ise-pic-to-passive-identity-agent-migration/m-p/5323252#M1122348 <P>We currently use ISE-PIC as our identity source for identity based policies in our FMC. According to the following EOL notice, ISE-PIC support will end November 30, 2027.&nbsp;&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/products/collateral/security/ise-passive-identity-connector/ise-pic-eol.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/products/collateral/security/ise-passive-identity-connector/ise-pic-eol.html</A></P><P>Migration options are to upgrade to ISE Advantage or migrate to Passive Identity Agent which was introduced in 7.6 software versions.&nbsp; I'm leaning more towards the Passive Identity Agent, but curious if anyone has gone through this migration yet and what their experience is.&nbsp; We've had no issues with our ISE-PIC as our identity source and our identity rules have worked very well.&nbsp; I just wanted to see if anyone in the community is using the Passive Identity Agent and if it works well for your identity rules.</P><P>Thank you.</P> Fri, 22 Aug 2025 12:46:52 GMT https://community.cisco.com/t5/network-security/ise-pic-to-passive-identity-agent-migration/m-p/5323252#M1122348 jmeetze 2025-08-22T12:46:52Z https://community.cisco.com/t5/network-security/ise-pic-to-passive-identity-agent-migration/m-p/5324126#M1122378 <P>Passive identity agent works fine. I have used it personally as have a couple of my customers.</P> Mon, 25 Aug 2025 16:43:55 GMT https://community.cisco.com/t5/network-security/ise-pic-to-passive-identity-agent-migration/m-p/5324126#M1122378 Marvin Rhoads 2025-08-25T16:43:55Z https://community.cisco.com/t5/network-security/ise-pic-to-passive-identity-agent-migration/m-p/5545377#M1124944 <P>Hi Marvin<BR /><BR />I have problems to this new agent identify logoff sessions of users on their workstations, if i understood correctly it is not work like old agent version(FUA 2.4 that worked until FTD/FMC 6.6)&nbsp; that query workstation by WMI periodicly to check status, this&nbsp;new Passive Identity Agent itself relies on the Kerberos ticketing system to understand user sessions, but the problem is&nbsp; that events logoffs will not appears on Kerberos ids. In my enviroment only appears logoffs events of user when timeout session configured on&nbsp; FMC is hit .&nbsp;<BR />In your customers how this behavior about monitored logoff session on workstations works well as old agent version?<BR />Tks</P> Tue, 14 Apr 2026 23:05:03 GMT https://community.cisco.com/t5/network-security/ise-pic-to-passive-identity-agent-migration/m-p/5545377#M1124944 crusier2015 2026-04-14T23:05:03Z