Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1384
Views
0
Helpful
7
Replies

ISE 2.2p1 Passive ID with Agent not working with EasyConnect

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎06-29-2017 05:29 AM

I posted this question in the ISE-PIC community page but got to thinking it is ISE related and not ISE-PIC  and was unsure I would get a response.  Please forgive the double post.

Trying to get ISE 2.2p1 PassiveID working with either the Agent or WMI.  I believe I am getting the passive-id information as the user info is showing up in PassiveID > active sessions.  The domain computer login is not present in the active sessions log.

The active directory servers in this instance are Server 2008R2.  The agents are installed directory on the AD servers.  My authz rules are looking for PassiveID:domain computer and PassiveID:domain user.  These rules are not being hit.

In the agent log I see the domain computer login and I see the domain user login.  The domain computer reference indicates it is dropped.

In the ISE logs I am getting an error for one server saying the agent is not responding.   No firewall in the picture just a layer three router.

Would like some ideas on what to troubleshoot next on this.

Thanks.

Sam

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to scamarda

‎06-29-2017 05:41 AM

Agent is not supported with Easy Connect currently. Please share with me the complete logs. Are they in DEBUG?

View solution in original post

0 Helpful
7 Replies 7

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-29-2017 05:35 AM

PassiveID is for AD domain users only. It does not look at computer logins. If you have a use case that we should also consider computer logins, please discuss it with our PM teams.

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to hslai

‎06-29-2017 05:39 AM

OK. I understand the domain computer login not working (hence the drops in the log) but I am still not getting the user login.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to scamarda

‎06-29-2017 05:41 AM

Agent is not supported with Easy Connect currently. Please share with me the complete logs. Are they in DEBUG?

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to hslai

‎06-29-2017 05:48 AM

OK.  Thanks.  In troubleshooting I also set this up using WMI as the interface in PassiveID. I received the same negative results.  Should I expect WMI to not be supported as well?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to scamarda

‎06-29-2017 06:00 AM

WMI provider is supported. I will check the logs you sent and might need to meet with you to discuss further.

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to hslai

‎06-29-2017 06:05 AM

Thank you.  I can be available for troubleshooting.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to scamarda

‎06-29-2017 06:55 AM

To add, other Passive ID sources are not currently tracked at MnT as part of the Easy Connect merge and CoA process, so not only is it not supported, but not expected to work.  If not working with WMI, then that is another issue and Hsing is an expert troubleshooter!

0 Helpful
Customers Also Viewed These Support Documents