Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
3
Replies

Passive ID with AD without installing the agent on every DC or using WMI

Go to solution
jwinnt
Level 1
Level 1

‎12-07-2017 07:09 AM

If you want to do PassiveID but due to various reasons, we cannot install the agent onto DCs or employ the WMI. We do have a member windows log server that the DC's send all their logs to.  Can we install the agent onto that member server to review the centralized DC's logs for PassiveID.  If not, I know that there is an option to use SPAN on Kerberos messages and syslog via MSAD DHCP.  What have you used or recommended when installing the agent onto DC's or using WMI is not an option for Passive ID? 


Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎12-08-2017 07:36 AM

The agent will only look to monitor domain controllers in the deployment.  When you join ISE or PIC to AD, it will know which servers are DCs.  So even though you are forwarding all the security event logs to a member server, that member server is not an actual DC so it will not be an option for the Agent or WMI probe to monitor.

Your only options would be Kerberos SPAN or to forward security event logs via syslog to ISE or PIC while using a custom template.

Regards,

-Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎12-08-2017 07:36 AM

The agent will only look to monitor domain controllers in the deployment.  When you join ISE or PIC to AD, it will know which servers are DCs.  So even though you are forwarding all the security event logs to a member server, that member server is not an actual DC so it will not be an option for the Agent or WMI probe to monitor.

Your only options would be Kerberos SPAN or to forward security event logs via syslog to ISE or PIC while using a custom template.

Regards,

-Tim

0 Helpful

Go to solution
jwinnt
Level 1
Level 1
In response to Timothy Abbott

‎12-12-2017 12:46 PM

Thanks Tim.  Lets say that we go with the the syslog route using a custom template.  Are there any existing ISE deployments that are successfully using that setup for passive ID with AD? 

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to jwinnt

‎12-12-2017 12:55 PM

I know there are some that are considering using that as an option but I'm not aware of any currently in production.

Regards,

-Tim

0 Helpful
Customers Also Viewed These Support Documents