02-13-2017 06:11 AM - edited 02-21-2020 10:31 AM
With Kerberos SPAN, wouldn’t we have to have a SPAN session for every authenticating domain controller in the environment? Since there can only be two ISE-PIC nodes, that seems to eliminate that option (if my assumption’s correct).
Also, if we were to stand up a member server with the agent on it, does it need to be set up as an Event Log Collector and all the domain controllers configured with Event Log Forwarding to the member server?
Thank you,
Brian Crocker bricrock
Solved! Go to Solution.
02-13-2017 07:08 AM
Brian,
You are correct that log forwarding would have to be setup to send logon messages to the member server running the agent. You can do this with group policy. Here is an article on how to do it.
PIC Kerberos SPAN is looking for specific events and I'm pretty sure that is regardless of authenticating domain controller. The only requisites you need to enable Kerberos SPAN is to ensure the PassiveID service is running (which is by default in PIC) and to select the interface you are going to use to monitor for logon events. If we need to discuss further, we can set up a meeting.
Regards,
-Tim
02-13-2017 07:08 AM
Brian,
You are correct that log forwarding would have to be setup to send logon messages to the member server running the agent. You can do this with group policy. Here is an article on how to do it.
PIC Kerberos SPAN is looking for specific events and I'm pretty sure that is regardless of authenticating domain controller. The only requisites you need to enable Kerberos SPAN is to ensure the PassiveID service is running (which is by default in PIC) and to select the interface you are going to use to monitor for logon events. If we need to discuss further, we can set up a meeting.
Regards,
-Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide