Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
4
Helpful
8
Replies

Cisco ISE PIC 3.4 RPC connect to domain controller failed

Go to solution
faruk.zaimovic
Level 1
Level 1

‎10-23-2024 03:10 AM

Hello, 

i have installed Cisco ISE PIC 3.4 version and use RPC agent as connection with AD. Made integration with FMC and create rule to filter URL per user. I have noticed that FMC don't get information when user log off and FMC alone in some time make logoff user, then tomorrow when i make login in PC, ISE PIC and FMC don't get that info, when i found live session my IP and manually run check current user i get info in FMC that user is login then URL filtering continue working. 

what i noticed in log .

RPC connect to domain controller failed

farukzaimovic_0-1729678220196.png

 

Does anybody have same problem, please share.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to faruk.zaimovic

‎10-29-2024 11:20 AM

@faruk.zaimovic I don't believe that is possible.

The only filtering we can do is to limit via a network filter in the FMC ISE integration. Such a filter causes ISE to report data from the networks within that filter. No such option for AD user or groups is currently available.

View solution in original post

8 Replies 8

Go to solution
Aref Alsouqi
VIP
VIP

‎10-23-2024 03:33 AM

Did you check if the agent is running as expected on the DC?

Configure EVT-Based Identity Services Engine Passive ID Agent - Cisco

0 Helpful

Go to solution
faruk.zaimovic
Level 1
Level 1
In response to Aref Alsouqi

‎10-23-2024 03:59 AM

Hello, 

Thank you very much for answer.

Agent are correct installed and in running mode. I have primary and secondary agent same as u send link for Passive ID Agent, When I made run test to AD i got strange messages. Picture below. Could not obtain TGT..... i dont know how to set it in AD,

 

farukzaimovic_0-1729681145024.png

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to faruk.zaimovic

‎10-23-2024 04:36 AM

To me it looks like an issue with kerberos on the AD. Do you see any interesting logs on the AD related to ISE diagnostics?

Go to solution
faruk.zaimovic
Level 1
Level 1
In response to Aref Alsouqi

‎10-24-2024 10:56 PM

Hello,

Thank you very much for your response.

I have same opinion that problem is in AD, I just check that problem is not connected for ISE PIC.

It works if i have that problem, I can see users in my FMC over PxGrid normaly, but what I noticed that ISE PIC agent over PxGrid send all users from AD to FMC. Does anybody do it, in User activity I can see all users from AD, If i do passive authetication only for one AD group. Is there any way to limit users . I treid it over REALM authetication and limit that group, but it is works only when I create policy which group and which users I can see and add in rule. 

Thank you very much for help.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to faruk.zaimovic

‎10-25-2024 01:36 AM

When you say tried to limit the groups was that from the Realm config under the "User Download > Groups to include" page?

0 Helpful

Go to solution
faruk.zaimovic
Level 1
Level 1
In response to Aref Alsouqi

‎10-25-2024 10:45 PM

Aref,

Yes, in user activity I can see all users from AD, i would like to see only users from one AD groupe, in that user i would apply passive atuhetication. I dont know it is possible. I could not find any options. 

Aref as u said, in Realm options for dowload users a only type one AD group, and again i can see all users from AD in user activity.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to faruk.zaimovic

‎10-28-2024 09:40 AM

I got the feeling that what you see is expected. Maybe @Marvin Rhoads can help on this.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to faruk.zaimovic

‎10-29-2024 11:20 AM

@faruk.zaimovic I don't believe that is possible.

The only filtering we can do is to limit via a network filter in the FMC ISE integration. Such a filter causes ISE to report data from the networks within that filter. No such option for AD user or groups is currently available.

Customers Also Viewed These Support Documents