Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1695
Views
0
Helpful
2
Replies

PassiveID in a distributed AD environment

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-26-2019 02:33 PM - edited ‎02-21-2020 11:06 AM

Hi Team,


We have a large enterprise customer that is using Wired EAP-TLS machine authC and wants to supplement the user identity using PassiveID for purely visibility purposes (not trying to combine the two credentials for authZ like 'EZC Chaining'). They are not using user certs due to various issues with enrollment, SaaS services like O365 installing new user certs and breaking EAP-TLS, etc.

Their AD environment is widely distributed and they have 20+ RODCs that perform the AD logon functions for remote branch PCs.

Am I correct in assuming that, if they want to use PassiveID, all distributed Domain Controllers would need to be configured for either WMI or with the Agent to share logon info with the centralised ISE cluster? Are there any other caveats or validated design aspects with this type of PassiveID implementation?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎05-29-2019 06:14 PM

That is correct.  All domain controllers that authenticate users will need to be monitored by ISE WMI or DC agent installed on the domain controllers.  ISE supports up to 100 domain controllers I believe. 

 

Ideally you could use a forwarded event server, but unfortunately the forwarded events go to a different log (forwarded events vs. security events) and ISE WMI or the DC agent don't know how to deal with that.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-29-2019 01:28 PM

Sounds right, i believe should work but not something tested, I have forwarded to our SME as well on this

0 Helpful

Go to solution
paul
Level 10
Level 10

‎05-29-2019 06:14 PM

That is correct.  All domain controllers that authenticate users will need to be monitored by ISE WMI or DC agent installed on the domain controllers.  ISE supports up to 100 domain controllers I believe. 

 

Ideally you could use a forwarded event server, but unfortunately the forwarded events go to a different log (forwarded events vs. security events) and ISE WMI or the DC agent don't know how to deal with that.

0 Helpful
Customers Also Viewed These Support Documents