cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

373
Views
0
Helpful
5
Replies
Highlighted
Contributor

ISE - Active Directory Design assistance

I am seeking any help / advice from anyone who has implemented in a live corporate environment the use of a Member Server to provide PassiveID support for an ISE implementation.

Based on the design from BRKSEC-3697 from Aaron Woland's lecture, we have implemented a member server and are using a manually installed agent. (see attached .pdf)

Why?

Using this design since our Server Admins are concerned directly accessing or using an agent on any production DC's

Problems!

Unable to read logs which will not provide PassiveID information to ISE-Primary/Secondary devices

Logs are placed into a folder called Forwarded Events with the correct EventID (4769)

Questions:

1. can the member server be in the parent domain?

2. is there any way to point the required eventID if unable to use the Forwarded Events?

Thanks for any assistance

Dave Moore

(I have a TAC case open, but really need a solution soon as 3 projects are relying on this problem resolution)

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE - Active Directory Design assistance

The TAC case has been associated with an active ISE ESC case and one of our ESC engineers have been assigned to it, so please continue the discussion with TAC and ISE ESC teams.

On 1, the collector can be in the parent domain to collect the windows events from a child domain.

On 2, you may change the subscription to update the destination log to Application or System. Also, we should monitor for both 4768 and 4770.

Screen Shot 2017-09-06 at 10.39.17 AM.png

View solution in original post

5 REPLIES 5
Highlighted
Contributor

Re: ISE - Active Directory Design assistance

Attachment of the design

Highlighted
Cisco Employee

Re: ISE - Active Directory Design assistance

I am checking with our teams on your inquires. If possible, please share the TAC case number.

Highlighted
Contributor

Re: ISE - Active Directory Design assistance

Hslai, thanks for this:

SR 682790420 : PassiveID

Dave

Highlighted
Cisco Employee

Re: ISE - Active Directory Design assistance

The TAC case has been associated with an active ISE ESC case and one of our ESC engineers have been assigned to it, so please continue the discussion with TAC and ISE ESC teams.

On 1, the collector can be in the parent domain to collect the windows events from a child domain.

On 2, you may change the subscription to update the destination log to Application or System. Also, we should monitor for both 4768 and 4770.

Screen Shot 2017-09-06 at 10.39.17 AM.png

View solution in original post

Highlighted
Contributor

Re: ISE - Active Directory Design assistance

hslai, thanks for the information. Will keep the lines of communication open with TAC.