04-03-2018 04:43 AM - edited 02-21-2020 10:52 AM
Customer would like to use ISE passive identity to control access to Data Center resources in conjunction with Firepower Threat Defense.
ISE passive identity (full ISE being used not PIC) would need to monitor 83 domain controllers and push, via pxGrid, identity mappings to 3 FMCs.
There are approximately 160,000 AD users. We don’t have any information on peak logins per second.
We are looking for design guidance as follows:
Solved! Go to Solution.
04-03-2018 07:15 AM
Jinesh,
A single PSN running PassiveID would be able to handle those controllers. The scale limit is 100 in total using either the agent or WMI. The current scaling guidelines for ISE outlines the maximum number of subscribers but you are will under that with only 3. PassiveID looks for logon events regardless of security groups the user is a member of. However, we do have the ability to configure mapping filters but that is only on a per user basis today.
Regards,
-Tim
04-03-2018 05:14 AM
Moved to pic community
04-03-2018 07:15 AM
Jinesh,
A single PSN running PassiveID would be able to handle those controllers. The scale limit is 100 in total using either the agent or WMI. The current scaling guidelines for ISE outlines the maximum number of subscribers but you are will under that with only 3. PassiveID looks for logon events regardless of security groups the user is a member of. However, we do have the ability to configure mapping filters but that is only on a per user basis today.
Regards,
-Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide