Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
0
Helpful
5
Replies

Passive ID 403 forbidden in packet capture.

Go to solution
Dustin Anderson
VIP
VIP

‎08-17-2017 01:26 PM

Greetings,

We are trying to set up Passive ID and it worked fine in a test AD/env. Now, trying to set it up in production, we see a 403 forbidden being sent from ISE to the agent.

Now, our domain admins will not give us accounts, so they installed the agent.

When we register the agent, it has a username/password required still. Is this needed, or can it be any account? I can't find much on documentation on getting the agent to register correctly. Since the capture is encrypted, I'm unsure what if any username is being sent by the agent.

Thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-18-2017 01:48 PM

Please engage Cisco TAC on this, if not already done, as TAC may help gathering more debug logs and recreate.

The credentials for the DC are entered for each DC at the DC configuration pages.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎08-18-2017 05:09 AM

Yes, the username and password are required.  The credentials you supply in ISE should match the credentials used when installing the agent on the DC.  Here's the section on the Passive ID Agent Settings from the Admin Guide:

Cisco Identity Services Engine Administrator Guide, Release 2.2

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to Charlie Moreton

‎08-18-2017 12:32 PM

From the linked manual

select the agent you created from the dropdown list, enter the user name and password credentials if you created any for the agent, and click Save. The agent is enabled for the domain controller and the dialog box closes.


This sounds like the username/password is unneeded if one is not set up on the agent, but is a required field in ISE.


ISE is not failing adding the agent, but the agent is logging a 403 forbidden error when trying to communicate with ISE.

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎08-18-2017 12:38 PM

Have you entered the same credentials on both sides?

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to Charlie Moreton

‎08-18-2017 01:02 PM

I asked the domain admin and he said there was no prompt for any credentials, just run the installer and it installed.

Where/how would I see what credentials the agent has?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-18-2017 01:48 PM

Please engage Cisco TAC on this, if not already done, as TAC may help gathering more debug logs and recreate.

The credentials for the DC are entered for each DC at the DC configuration pages.

0 Helpful
Customers Also Viewed These Support Documents