08-21-2017 11:24 AM
I am seeking any help / advice from anyone who has implemented in a live corporate environment the use of a Member Server to provide PassiveID support for an ISE implementation.
Based on the design from BRKSEC-3697 from Aaron Woland's lecture, we have implemented a member server and are using a manually installed agent. (see attached .pdf)
Why?
Using this design since our Server Admins are concerned directly accessing or using an agent on any production DC's
Problems!
Unable to read logs which will not provide PassiveID information to ISE-Primary/Secondary devices
Logs are placed into a folder called Forwarded Events with the correct EventID (4769)
Questions:
1. can the member server be in the parent domain?
2. is there any way to point the required eventID if unable to use the Forwarded Events?
Thanks for any assistance
Dave Moore
(I have a TAC case open, but really need a solution soon as 3 projects are relying on this problem resolution)
Solved! Go to Solution.
09-06-2017 10:42 AM
The TAC case has been associated with an active ISE ESC case and one of our ESC engineers have been assigned to it, so please continue the discussion with TAC and ISE ESC teams.
On 1, the collector can be in the parent domain to collect the windows events from a child domain.
On 2, you may change the subscription to update the destination log to Application or System. Also, we should monitor for both 4768 and 4770.
08-21-2017 11:26 AM
08-22-2017 10:59 AM
I am checking with our teams on your inquires. If possible, please share the TAC case number.
08-22-2017 11:21 AM
Hslai, thanks for this:
SR 682790420 : PassiveID
Dave
09-06-2017 10:42 AM
The TAC case has been associated with an active ISE ESC case and one of our ESC engineers have been assigned to it, so please continue the discussion with TAC and ISE ESC teams.
On 1, the collector can be in the parent domain to collect the windows events from a child domain.
On 2, you may change the subscription to update the destination log to Application or System. Also, we should monitor for both 4768 and 4770.
09-06-2017 11:41 AM
hslai, thanks for the information. Will keep the lines of communication open with TAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide