Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1534
Views
0
Helpful
1
Replies

SPAN session for every authenticating domain controller

Go to solution
benugent
Cisco Employee
Cisco Employee

‎02-13-2017 06:11 AM - edited ‎02-21-2020 10:31 AM

With Kerberos SPAN, wouldn’t we have to have a SPAN session for every authenticating domain controller in the environment?  Since there can only be two ISE-PIC nodes, that seems to eliminate that option (if my assumption’s correct).

Also, if we were to stand up a member server with the agent on it, does it need to be set up as an Event Log Collector and all the domain controllers configured with Event Log Forwarding to the member server?

Thank you,

Brian Crocker  bricrock

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎02-13-2017 07:08 AM

Brian,

You are correct that log forwarding would have to be setup to send logon messages to the member server running the agent.  You can do this with group policy.  Here is an article on how to do it.

PIC Kerberos SPAN is looking for specific events and I'm pretty sure that is regardless of authenticating domain controller.  The only requisites you need to enable Kerberos SPAN is to ensure the PassiveID service is running (which is by default in PIC) and to select the interface you are going to use to monitor for logon events.  If we need to discuss further, we can set up a meeting.

Regards,

-Tim

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎02-13-2017 07:08 AM

Brian,

You are correct that log forwarding would have to be setup to send logon messages to the member server running the agent.  You can do this with group policy.  Here is an article on how to do it.

PIC Kerberos SPAN is looking for specific events and I'm pretty sure that is regardless of authenticating domain controller.  The only requisites you need to enable Kerberos SPAN is to ensure the PassiveID service is running (which is by default in PIC) and to select the interface you are going to use to monitor for logon events.  If we need to discuss further, we can set up a meeting.

Regards,

-Tim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents