Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
1
Helpful
8
Replies

ISE-PIC not receiving active sessions — only 5–6 users every few hours

Go to solution
GHOZLANE Haroun
Level 1
Level 1

‎10-23-2025 03:41 AM - edited ‎10-23-2025 03:48 AM

Hi Dears,

I am facing an issue with Cisco ISE-PIC not receiving active user sessions as expected — I only see around 5 or 6 users every two or three hours.

Environment details:

  • ISE-PIC Version: 3.4 (Patch 3 installed and licensed)

  • Setup: Two ISE-PIC agents installed on intermediate Windows servers (not directly on the domain controllers, as per client restriction)

  • These Windows servers are joined to the domain

  • The domain controllers are a mix of Windows Server 2016 and 2019

  • I am using the same service account to:

    • Join ISE-PIC to the domain

    • Log in to the Windows servers where the ISE-PIC agents are installed

    • Integrate the ISE-PIC agents with the domain controllers

The client has refused to install the agents directly on the domain controllers.

I would appreciate your advice on the following points:

  1. How can I further verify that WMI communication is functioning correctly and that ISE-PIC is actually retrieving user logon/logoff events, given that I have already confirmed the domain controllers are logging these events?

  2. Are there any best practices or recommended alternatives when agents cannot be installed on domain controllers?

  3. Can I use other protocols (for example, MSRPC) instead of WMI for session collection, especially when the agents are installed on intermediate servers rather than on domain controllers?

Any guidance, recommended checks, or experience sharing would be greatly appreciated.

Thanks in advance 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to GHOZLANE Haroun

‎10-30-2025 01:07 PM

Why not upgrade to 7.6 and use the FMC native integration? Again, this completely removes the need for ISE-PIC.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
GHOZLANE Haroun
Level 1
Level 1
In response to ahollifield

‎10-29-2025 10:23 PM

Thanks a lot for your feedback and for sharing the End-of-Life documentation.

I understand that ISE-PIC will remain supported until 2027, so it’s still a valid solution for now, next will migrate to ISE.

I’d like to clarify one point regarding the setup — since the client doesn’t allow installing the ISE-PIC agent directly on the domain controllers, I’ve installed it on intermediate Windows servers that are domain-joined.

Can you please confirm if the ISE-PIC agent can still collect user-to-IP mappings via RPC in this type of setup, or is it mandatory to install the agents directly on the domain controllers?

If RPC is supported, could you please share any guidance on how to troubleshoot whether the issue is on the Active Directory side or within ISE-PIC when active sessions are not being received as expected?

Regards

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to GHOZLANE Haroun

‎10-30-2025 10:46 AM

Eventing using the agent is the correct path forward: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216512-configure-evt-based-identity-services-en.html

What are you using ISE-PIC for? What’s the use-case?

0 Helpful

Go to solution
GHOZLANE Haroun
Level 1
Level 1
In response to ahollifield

‎10-30-2025 01:00 PM

Thanks ahollifield,

thanks for the link ,

We want to use it to collect active sessions so they can be shared in FMC for identity-based policies, is it mandatory to install the agent it in domain controllers or can we install it in intermediate server ?

Regards

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to GHOZLANE Haroun

‎10-30-2025 01:07 PM

Why not upgrade to 7.6 and use the FMC native integration? Again, this completely removes the need for ISE-PIC.
0 Helpful

Go to solution
GHOZLANE Haroun
Level 1
Level 1
In response to ahollifield

‎10-30-2025 05:39 PM

fmc version is 7.6.2 and ftd ersion 7.4.3, please can you share the document for that

0 Helpful

Go to solution
GHOZLANE Haroun
Level 1
Level 1
In response to ahollifield

‎10-30-2025 10:45 PM - edited ‎10-30-2025 10:46 PM

thanks very much,

that is the last ftd version supported by 2110 appliances.

Regards

0 Helpful
Customers Also Viewed These Support Documents