cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

100
Views
0
Helpful
3
Replies
Highlighted
Beginner

Passive ID with AD without installing the agent on every DC or using WMI

If you want to do PassiveID but due to various reasons, we cannot install the agent onto DCs or employ the WMI. We do have a member windows log server that the DC's send all their logs to.  Can we install the agent onto that member server to review the centralized DC's logs for PassiveID.  If not, I know that there is an option to use SPAN on Kerberos messages and syslog via MSAD DHCP.  What have you used or recommended when installing the agent onto DC's or using WMI is not an option for Passive ID? 


Thanks!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Passive ID with AD without installing the agent on every DC or using WMI

The agent will only look to monitor domain controllers in the deployment.  When you join ISE or PIC to AD, it will know which servers are DCs.  So even though you are forwarding all the security event logs to a member server, that member server is not an actual DC so it will not be an option for the Agent or WMI probe to monitor.

Your only options would be Kerberos SPAN or to forward security event logs via syslog to ISE or PIC while using a custom template.

Regards,

-Tim

3 REPLIES
Cisco Employee

Re: Passive ID with AD without installing the agent on every DC or using WMI

The agent will only look to monitor domain controllers in the deployment.  When you join ISE or PIC to AD, it will know which servers are DCs.  So even though you are forwarding all the security event logs to a member server, that member server is not an actual DC so it will not be an option for the Agent or WMI probe to monitor.

Your only options would be Kerberos SPAN or to forward security event logs via syslog to ISE or PIC while using a custom template.

Regards,

-Tim

Beginner

Re: Passive ID with AD without installing the agent on every DC or using WMI

Thanks Tim.  Lets say that we go with the the syslog route using a custom template.  Are there any existing ISE deployments that are successfully using that setup for passive ID with AD? 

Cisco Employee

Re: Passive ID with AD without installing the agent on every DC or using WMI

I know there are some that are considering using that as an option but I'm not aware of any currently in production.

Regards,

-Tim

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions