cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1612
Views
0
Helpful
1
Replies

SPAN session for every authenticating domain controller

benugent
Cisco Employee
Cisco Employee

With Kerberos SPAN, wouldn’t we have to have a SPAN session for every authenticating domain controller in the environment?  Since there can only be two ISE-PIC nodes, that seems to eliminate that option (if my assumption’s correct).

Also, if we were to stand up a member server with the agent on it, does it need to be set up as an Event Log Collector and all the domain controllers configured with Event Log Forwarding to the member server?

Thank you,

Brian Crocker  bricrock

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Brian,

You are correct that log forwarding would have to be setup to send logon messages to the member server running the agent.  You can do this with group policy.  Here is an article on how to do it.

PIC Kerberos SPAN is looking for specific events and I'm pretty sure that is regardless of authenticating domain controller.  The only requisites you need to enable Kerberos SPAN is to ensure the PassiveID service is running (which is by default in PIC) and to select the interface you are going to use to monitor for logon events.  If we need to discuss further, we can set up a meeting.

Regards,

-Tim

View solution in original post