Solved: Re: ISE PIC

jineshrd · ‎04-03-2018

Customer would like to use ISE passive identity to control access to Data Center resources in conjunction with Firepower Threat Defense.

ISE passive identity (full ISE being used not PIC) would need to monitor 83 domain controllers and push, via pxGrid, identity mappings to 3 FMCs.

There are approximately 160,000 AD users. We don’t have any information on peak logins per second.

We are looking for design guidance as follows:

Would a single PSN be able to handle the AD monitoring and pxGrid distribution requirements? If not, any guidance on how many PSNs would be recommended?
Do we have any more detailed scaling guidelines other than the data sheet?
Is there any way to configure WMI events for specific user groups?

Timothy Abbott · ‎04-03-2018

Jinesh,

A single PSN running PassiveID would be able to handle those controllers. The scale limit is 100 in total using either the agent or WMI. The current scaling guidelines for ISE outlines the maximum number of subscribers but you are will under that with only 3. PassiveID looks for logon events regardless of security groups the user is a member of. However, we do have the ability to configure mapping filters but that is only on a per user basis today.

Regards,

-Tim

View solution in original post

Jason Kunst · ‎04-03-2018

Moved to pic community

Timothy Abbott · ‎04-03-2018

Jinesh,

A single PSN running PassiveID would be able to handle those controllers. The scale limit is 100 in total using either the agent or WMI. The current scaling guidelines for ISE outlines the maximum number of subscribers but you are will under that with only 3. PassiveID looks for logon events regardless of security groups the user is a member of. However, we do have the ability to configure mapping filters but that is only on a per user basis today.

Regards,

-Tim