Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
158
Views
0
Helpful
4
Replies

Cisco ISE Passive Identity Agent on Azure Domain Controller

dimi.kard
Level 1
Level 1

‎11-05-2025 03:47 AM

Hi All,

We have a Cisco ISE VM 3.1 version patch 10  which is only used to retrieve user groups from domain controllers in order to enforce the corresponding policies on FTDs.

Currently, we have installed Cisco Passive identity agent to all of our on prem Domain Controllers (Windows Server 2019 via RPC) with out any issue. We are trying to install the agent on a DC which is located in Azure without success. DC is also Windows Server 2019

There is site to site vpn between on prem site where Cisco ISE is located and DC in Azure all traffic is allowed.

Windows Firewall on DC is off

We've tried from the DC to telnet towards ISE ports and Connection works fine. 

On Windows Server agent logs we get the following message https://isenodefqdn:9095 with timeout

 

Could anyone assist on this ?

0 Helpful
4 Replies 4

Aref Alsouqi
VIP
VIP

‎11-05-2025 04:19 AM

Could it be a DNS issue? have you tried to insall the agetn manually on Azure domain controller? if not, could you try that please?

Also, ISE PIC is already EoL but will still have support until Nov 2027. Why not to integrate your FMC with your AD directly by configure a realm bypassing the need to rely on ISE PIC?

End-of-Sale and End-of-Life Announcement for the Cisco Identity Services Engine Passive Identity Connector (ISE-PIC) - Cisco

0 Helpful

dimi.kard
Level 1
Level 1
In response to Aref Alsouqi

‎11-05-2025 04:23 AM

Hello @Aref Alsouqi 

We've tried to install agent manually but again when we check the status of the relevant DC on Cisco ISE it shows down.
Also the ad user has full privileges.
Regards

0 Helpful

Aref Alsouqi
VIP
VIP
In response to dimi.kard

‎11-05-2025 04:39 AM

I see. I'm not good with Azure but could it be that Azure is not allowing the traffic between ISE and Azure DC? maybe you should allow it in Azure network security groups?

If you should want to explore the option to integrate the FMC with your AD directly you can check this post of mine:

FMC Identity Policy | Blue Network Security

0 Helpful
Customers Also Viewed These Support Documents