Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
0
Helpful
2
Replies

ISE Passive ID Preferred Options/Scalability

Go to solution
paul
Level 10
Level 10

‎06-28-2017 12:54 PM - edited ‎02-21-2020 10:32 AM

All,

I wanted to put some of my thoughts down in ISE Passive ID and cofirm what I am thinking as we lay this out for customers.  Please let me know if I have anything incorrect or am missing something. 

I am listing the Passive ID options in order of how I would prefer to implement them:

Option #1- Agent Installed on Each DC

Advantages

  1. Only requires elevated privilege account to install the agent.  i.e. no persistent service account needed.
  2. Removes polling requirements from the PSNs.
  3. No WMI modifications on the DCs. (registry settings, CIMv2 modifications, etc.)

Disadvantages

  1. Requires the installation of a service on the DCs which some customers may not like the idea of.

Scalability and Performance

Can scale up to 100 DCs.  In terms of performance, I would think this would be the middle performer of the 3.  The workload is offloaded from the PSNs, but I have 1:1 feeds coming into the PSNs from the agents.

Option #2- WMI Queries from the PSNs

Advantages

  1. No services required on the DCs.

Disadvantages

  1. Requires elevated privilege service account.  Account in Domain Admins is the simplest, but that won't fly with many customers especially if you ask for a non-expiring password service account.
  2. WMI modifications on the DCs. (registry settings, CIMv2 modifications, etc.)
  3. PSNs have to perform the polling work adding load to the PSNs.

Scalability and Performance

Can scale up to 100 DCs.  In terms of performance, I would think this would be the worst performer out of the 3 options as the PSNs have to do all the work.

Option #3- Agent on Member Servers Polling up to 10 DCs Each

Advantages

  1. No services required on the DCs.
  2. Aggregate information at a 10:1 ratio before feeding the data into ISE.

Disadvantages

  1. Requires elevated privilege service account.  Account in Domain Admins is the simplest, but that won't fly with many customers especially if you ask for a non-expiring password service account.
  2. WMI modifications on the DCs. (registry settings, CIMv2 modifications, etc.)
  3. Need member servers provisioned for this role at a 10:1 ratio.

Scalability and Performance

Can scale up to 100 DCs.  In terms of performance, I would think this is the best performance since it is aggregating the data so the PSNs have less data sources to deal with.  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎06-29-2017 11:58 AM

Paul,

You wouldn't need to deploy an agent on each DC.  The agent can monitor up to 10 controllers whether the agent is installed on the controller or a member server.  Since the agent is running on a trusted source, you don't need elevated account privileges.  That would only be true for the WMI probe because the server would need to be configured for remote monitoring.  Here are all 3 options in order of efficiency:

1:  Agent (either member or controller) - up to 100 controllers

2: WMI - up to 100 controllers

3: Kerberos SPAN - Zero touch / point-in-time only / no history

Regards,

-Tim

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎06-29-2017 11:58 AM

Paul,

You wouldn't need to deploy an agent on each DC.  The agent can monitor up to 10 controllers whether the agent is installed on the controller or a member server.  Since the agent is running on a trusted source, you don't need elevated account privileges.  That would only be true for the WMI probe because the server would need to be configured for remote monitoring.  Here are all 3 options in order of efficiency:

1:  Agent (either member or controller) - up to 100 controllers

2: WMI - up to 100 controllers

3: Kerberos SPAN - Zero touch / point-in-time only / no history

Regards,

-Tim

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Timothy Abbott

‎06-29-2017 12:27 PM

Tim,

All member servers are allowed to automatically WMI poll DCs for security logs? Or how is the member server getting the security logs from the DCs?

In other solutions even when you deploy agents on member servers they need AD credentials to make WMI calls to the DCs.

I am sure I am missing something.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents