cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1296
Views
0
Helpful
2
Replies
Greg Gibbs
Cisco Employee

PassiveID in a distributed AD environment

Hi Team,


We have a large enterprise customer that is using Wired EAP-TLS machine authC and wants to supplement the user identity using PassiveID for purely visibility purposes (not trying to combine the two credentials for authZ like 'EZC Chaining'). They are not using user certs due to various issues with enrollment, SaaS services like O365 installing new user certs and breaking EAP-TLS, etc.

Their AD environment is widely distributed and they have 20+ RODCs that perform the AD logon functions for remote branch PCs.

Am I correct in assuming that, if they want to use PassiveID, all distributed Domain Controllers would need to be configured for either WMI or with the Agent to share logon info with the centralised ISE cluster? Are there any other caveats or validated design aspects with this type of PassiveID implementation?

1 ACCEPTED SOLUTION

Accepted Solutions
paul
Advocate

That is correct.  All domain controllers that authenticate users will need to be monitored by ISE WMI or DC agent installed on the domain controllers.  ISE supports up to 100 domain controllers I believe. 

 

Ideally you could use a forwarded event server, but unfortunately the forwarded events go to a different log (forwarded events vs. security events) and ISE WMI or the DC agent don't know how to deal with that.

View solution in original post

2 REPLIES 2
Jason Kunst
Cisco Employee

Sounds right, i believe should work but not something tested, I have forwarded to our SME as well on this

paul
Advocate

That is correct.  All domain controllers that authenticate users will need to be monitored by ISE WMI or DC agent installed on the domain controllers.  ISE supports up to 100 domain controllers I believe. 

 

Ideally you could use a forwarded event server, but unfortunately the forwarded events go to a different log (forwarded events vs. security events) and ISE WMI or the DC agent don't know how to deal with that.

View solution in original post

Content for Community-Ad