cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE - Active Directory Design assistance

dmooregfb
Contributor
Contributor

I am seeking any help / advice from anyone who has implemented in a live corporate environment the use of a Member Server to provide PassiveID support for an ISE implementation.

Based on the design from BRKSEC-3697 from Aaron Woland's lecture, we have implemented a member server and are using a manually installed agent. (see attached .pdf)

Why?

Using this design since our Server Admins are concerned directly accessing or using an agent on any production DC's

Problems!

Unable to read logs which will not provide PassiveID information to ISE-Primary/Secondary devices

Logs are placed into a folder called Forwarded Events with the correct EventID (4769)

Questions:

1. can the member server be in the parent domain?

2. is there any way to point the required eventID if unable to use the Forwarded Events?

Thanks for any assistance

Dave Moore

(I have a TAC case open, but really need a solution soon as 3 projects are relying on this problem resolution)

1 ACCEPTED SOLUTION

Accepted Solutions

The TAC case has been associated with an active ISE ESC case and one of our ESC engineers have been assigned to it, so please continue the discussion with TAC and ISE ESC teams.

On 1, the collector can be in the parent domain to collect the windows events from a child domain.

On 2, you may change the subscription to update the destination log to Application or System. Also, we should monitor for both 4768 and 4770.

Screen Shot 2017-09-06 at 10.39.17 AM.png

View solution in original post

5 REPLIES 5

dmooregfb
Contributor
Contributor

Attachment of the design

hslai
Cisco Employee
Cisco Employee

I am checking with our teams on your inquires. If possible, please share the TAC case number.

Hslai, thanks for this:

SR 682790420 : PassiveID

Dave

The TAC case has been associated with an active ISE ESC case and one of our ESC engineers have been assigned to it, so please continue the discussion with TAC and ISE ESC teams.

On 1, the collector can be in the parent domain to collect the windows events from a child domain.

On 2, you may change the subscription to update the destination log to Application or System. Also, we should monitor for both 4768 and 4770.

Screen Shot 2017-09-06 at 10.39.17 AM.png

hslai, thanks for the information. Will keep the lines of communication open with TAC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: