Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5197
Views
4
Helpful
0
Comments

Setting up PassiveID in ISE 2.2

Timothy Abbott
Cisco Employee
Cisco Employee

on ‎02-27-2017 10:49 AM

ISE 2.2 introduced new features and enhancements to PassiveID.  Here is a quick guide to help you get PassiveID setup and working quickly with Active Directory.

Begin by enabling the PassiveID service

Navigate Administration -> Deployment -> Node.  To share identity information over pxGrid, you will want to enable that as well.

2017-02-27_11-46-11.png

Use the PassiveID Work Center

Once the service starts, you can access the PassiveID features in the work center:

2017-02-27_11-56-35.png

Begin PassiveID configuration

From here, you have the ability to start configuring PassiveID.  To get set up quickly, you can use the PassiveID wizard which will walk you through the steps necessary to configure and AD provider.  Alternatively, you can configure other providers manually by clicking the "Providers" menu item at the top. To view any PassiveID information, select "Dashboard" on the left.

2017-02-27_12-09-32.png

Configure an AD provider

To begin configuring and AD provider, start by clicking the "Providers" menu item at the top.  Give your AD instance a name and the domain you are going to monitor.

2017-02-27_12-22-39.png

Select your AD previously configured AD instance:

2017-02-27_12-24-08.png

Then select the PassiveID tab:

2017-02-27_12-24-36.png

Click "Add DCs" and select the controller you want to monitor, then click OK.  You should now have a domain controller selected for use with PassiveID.  Now you must choose the method in which you will monitor the controller or member server.  For this you have three options:

1. AD Agent

2. WMI

3. Kerberos SPAN

You can configure an Agent or WMI from this screen:

2017-02-27_12-31-58.png

To have ISE automatically configure the controller to be monitored using WMI, select the domain controller you want and simply click "Config WMI."  To have ISE install an agent on the controller, click "Add Agent" and fill out the required information.  From the below screen, you have the ability to deploy a new agent or register an existing agent that was deployed manually.

2017-02-27_12-35-43.png

Once registered or deployed, ISE will begin monitoring AD for Windows logon events.  To view any session learned via PassiveID, click on "Overview" at the top, then select "Live Sessions" on the left.

2017-02-27_12-41-17.png

If you also have RADIUS configured, you will see those sessions as well as the ones learned via PassiveID.  The sessions created via PassiveID will have a "Show Actions" option instead of "Show CoA Actions" (RADIUS):

2017-02-27_12-44-01.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents