cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

104
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

Passive Identity : supported #DC - clarification needed

Hi,

 

My customer has slightly more than 200 domain controllers to monitor via WMI for Passive Identity.

From

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-1418220509

 

Max AD Domain Controllers supported via WMI or ISE AD Agent 100

It is not clear however if this limit is per PSN or per cluster. Could someone confirm?

 

If this is per PSN, does this mean the maximum number of DC we can monitor per ISE cluster is limited to 200:

Recommended # PSNs enabled for WMI (Passive ID service) 2

Is this a hard limit or does it just mean we haven't tested higher number? With the use of "recommended", it sounds like we could try to go higher...

 

Any chance to increase these numbers in the future (v2.5?)

 

TIA,

JF

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Passive Identity : supported #DC - clarification needed

JF,

The deployment limit is 100 controllers and a single PSN can monitor up to 100 controllers if that makes sense. 100 controllers is what we tested however we can scale beyond that using security event forwarding using GPO. I can't talk about roadmap in this forum, unfortunately.

Regards,
-Tim
3 REPLIES 3
Cisco Employee

Re: Passive Identity : supported #DC - clarification needed

JF,

The deployment limit is 100 controllers and a single PSN can monitor up to 100 controllers if that makes sense. 100 controllers is what we tested however we can scale beyond that using security event forwarding using GPO. I can't talk about roadmap in this forum, unfortunately.

Regards,
-Tim
Cisco Employee

Re: Passive Identity : supported #DC - clarification needed

Thanks Tim, I'll follow up internally for the roadmap.

Beginner

Re: Passive Identity : supported #DC - clarification needed

Timothy,

Can you provide more information or at least point me in the right direction for setting up event forwarding to support passive ID for a domain with more than 100 DCs?  I have information on event subscription, however it seems I can't specify the security event log as the destination.  Can the AD connector read from "forwarded events" on the subscriber?  If so, do I need to specify this somewhere in the configuration?

 

Thanks

Greg