cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2976
Views
5
Helpful
1
Replies

ISE-PIC not seeing Windows Logon events

Russell Rockett
Level 1
Level 1

I'm trying to setup ISE-PIC 2.7 to replace the older Firepower User Agent software.  I've followed the how-to install, and the PassiveID setup wizard.  On the Providers pane I see my DCs all listed with an "UP" status (green check mark).  But I've only ever gotten a single session showing in ISE.

 

If I look at the event viewer on any of the DCs then I see LOTS of 4624 "Logon" events that correspond to granted kerberos tickets.  So I know the event auditing is working properly, it just doesn't seem that ISE is reading these events.  (Again, I saw a single session pop-up once, so it isn't that ISE is unable to talk to the DCs -- it feels like a filter criteria issue to me)

 

I did notice that the verbose logging for the Agents (currently not using the Agents, but did try at one point to see if they had a different result) seemed to imply that they were watching for 4768 & 4770 events.  While I'd include those in my "what to watch for list", I wouldn't make it exclusively those two events (I normally use 4624, 4768, 4769, and 4770 when looking for auths -- especially since I see all the 4624 logon events).  Does anyone which event IDs ISE-PIC is looking for (and which channels it is looking for them in)?

 

Has anyone else had an issue where ISE-PIC just wasn't seeing active sessions (and if you have, can you give pointers on what your fix[es] were)?

 

I'm currently running ISE-PIC 2.7 with the Active Directory providers in WMI mode.  I've tried both 2.7 & 3.0, and both of them with AD in WMI & Agent modes.  The setup is always smooth, and I can get my subscribers connected -- I just don't have a good session directory because ISE doesn't seem to see the active sessions on the DCs.  I see walkthroughs all over the place talking about how easy it is, and I'm sure that's normally true.  But I'm starting to have trouble with the old Firepower User Agent and would love to get this tested so I can justify getting the licenses in place and then get rid of the old agent.

1 Reply 1

purchasing
Level 1
Level 1

While you've listed the codes (and are mostly correct), it is actually an issue with the Audit Policy not being fully set.  This is something that isn't covered (at all) in the ISE/PIC documentation.

 

Check out the very well crafted answer over here:
https://community.cisco.com/t5/network-access-control/ise-passiveid-and-wmi-pulling/m-p/3928476/highlight/true#M457053