Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
0
Helpful
1
Replies

ISE passiveID and WMI clarification

Go to solution
Netgizmo86
Level 1
Level 1

‎08-10-2021 01:30 PM

Hi All,

  I am trying to find following information and so far didn't find anything in the documentation.

Any pointer you can provide will be apprecaited

 

  1. On which node passiveID service needs to be activated i.e. PSN or PAN ? If we have distributed cluster does is it make sense to have it enabled on servers in two different DCs for high availability?
  2. Does ISE pull information from AD or it is pushed down from AD? how often does this happen and how will it affect AD performance? We are concerned it might degrade AD performance
  3. Do DCs share authetication events between them? For example if DC1 authenticates User1 will DC2 know about it? Also how long this session lasts
  4. Does ISE pull information for all users or only users/groups of interest defined by identity Policy e.g if we have 100 ADs will ISE poll all AD servers to find which server autheticated user?

Regards,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-10-2021 11:22 PM

Hi @Netgizmo86,

1. Passive ID is part of the sub-roles on PSN. Since you said you have distributed cluster, it has to be enabled on PSNs only. If you have large distributed deployment, you must not enable any other role on PAN and MnT nodes. Yes, for me it make sense to enable it on multiple nodes.

2. WMI is designed for someone to connect to AD, not the other way round. ISE will use WMI to connect to AD and to pull data from DCs. This is basically reading of certain security events from given DCs. Regarding frequency, I'm not sure about it, as I too never found some extensive documentation about it. Either way, it is not expected to have some huge load on DCs because of this.

3. Afaik, they don't. Security events on one DC does not get replicated on another. This is the reason why you need to manually add all DCs to which your users might logon. ISE will then go to each of them, reading logon and logoff events. There is no session duration as such - ISE is reading login and logoff events from DC, building the knowledge of certain user.

4. ISE will read info about all logon/logoff events on DC. If it is there, it will be displayed in ISE. You can filter unwanted data by using Mapping Filters.

I found very usefull session/lab from Cisco Live, which covers this integration in details.

BR,

Milos

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-10-2021 11:22 PM

Hi @Netgizmo86,

1. Passive ID is part of the sub-roles on PSN. Since you said you have distributed cluster, it has to be enabled on PSNs only. If you have large distributed deployment, you must not enable any other role on PAN and MnT nodes. Yes, for me it make sense to enable it on multiple nodes.

2. WMI is designed for someone to connect to AD, not the other way round. ISE will use WMI to connect to AD and to pull data from DCs. This is basically reading of certain security events from given DCs. Regarding frequency, I'm not sure about it, as I too never found some extensive documentation about it. Either way, it is not expected to have some huge load on DCs because of this.

3. Afaik, they don't. Security events on one DC does not get replicated on another. This is the reason why you need to manually add all DCs to which your users might logon. ISE will then go to each of them, reading logon and logoff events. There is no session duration as such - ISE is reading login and logoff events from DC, building the knowledge of certain user.

4. ISE will read info about all logon/logoff events on DC. If it is there, it will be displayed in ISE. You can filter unwanted data by using Mapping Filters.

I found very usefull session/lab from Cisco Live, which covers this integration in details.

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents