About csco11552159

csco11552159 · ‎09-24-2018

what if we deploy PSN to each "Site", witll ISE use site based DNS resolution to find all DC? we do have all site based DNS resolution. If ISE is using this way, it should be able to see all DC at the "site".

csco11552159 · ‎09-21-2018

checked with our AD admin, our DNS only resolve some of DC based on domain but ISE seems not to use API or similar cmd like" nltest /dclist:xxx.com" to resolve the DCs. if this is the case, PassiveID wont work for lots cases especially when large amount DCs in the enterprise. No one will display 100 DCs based on domain name ....

csco11552159 · ‎09-20-2018

Opened a ticket with TAC wait for some updates. Psn with passive ID enabled only see the "site" DC which are auto associated with. Passive wmi should see everything ..

csco11552159 · ‎09-20-2018

we saw the same result for other domains. it seems site impacted PassiveID DCs....

csco11552159 · ‎09-20-2018

Recently we are trying to add new DCs into PassiveID list to use WMI monitoring. The problems how ISE find the DCs, in our Dev environment, we found some DCs are missing from the list. and we have no way to add them. when use : nltest /dclist:dev We will see 4 DCs. But from PassiveID "Add Domain Controllers" list, cannot find all of them. Then we test our production DCs, we have same issues, some "site" DCs are totally missing. Is some kind reasons about DC"Site" ? How does ISE find all DCs available to add?

csco11552159 · ‎09-04-2018

i see. thank you. Do you know if there is a session limitation? Like Agent method, in the document mentions that each agent can monitor 10 ADs. Is there a limitation for WMI to monitor ADs ?

csco11552159 · ‎08-20-2018

Hi, do you know if i have PSN1 and PSN2 in same cluster, will both query same AD server? or PSN1 will query to AD1 and PSN2 query AD2? for remote Sites, how PSN query? still try to understand the traffic flow.

csco11552159 · ‎08-20-2018

Hi, if we are using WMI to monitor all our DCs( over 100 in 2 forests), the account we used for WMI has to change the password every year ..... Is there a way to do a bulk edit to update the password? 2nd question, we have local PSN cluster and DCs have site setup. once we enable WMI, will local PSN only contact local DC site? How does traffic sharing between multiple PSN in different cluster?

csco11552159 · ‎07-12-2018

so we have to change all our DC's registry to make it work ,right? will require the same setup for Server 16? thank you.

csco11552159 · ‎07-11-2018

thank you. so if we manually created these keys, we can try to avoid "Full control", right ? regarding the key is adding, for 64 bit is located at, right? HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} AppID = {76A64158-CB41-11D1-8B02-00600806D9B6}

csco11552159 · ‎07-11-2018

these 2 keys: HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

csco11552159 · ‎07-11-2018

i m following the PIC document: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01000.html#task_784A7… when we talk to our Corp Sec and ID team for changing registry key to allow our account with full control of DCOM/WMI key, they want to know the reason of the change. If we have Domain Admin account with read only access, will this do the work? anyone can explain why we need full control? this will be really help. thank you.

csco11552159 · ‎07-10-2018

thank you. i will send to FMC for now. hopefully some changes coming soon.

csco11552159 · ‎07-06-2018

hi John & Hsing-Tsu, So in order FMC to have correct User ID, port and IP mapping, TS-Agent directly send to FMC? like this: TS-Agent--->FMC ISE---(pxgrid)--->FMC the way we try to do is : TS-Agent--->ISE ----(pxgrid)--->FMC. We can use TS-Agent to send mapping to ISE, then we should easily send all ID mapping to FMC via pxgrid including regular mapping and TS ports mapping. this more make sense. Will this way work?

csco11552159 · ‎07-06-2018

Thank you. and on FMC, in this way will only keep the last user login.

csco11552159 · 09-24-2018

what if we deploy PSN to each "Site", witll ISE use site based DNS resolution to find all DC? we do ...

csco11552159 · 09-21-2018

checked with our AD admin, our DNS only resolve some of DC based on domain but ISE seems not to use ...

csco11552159 · 09-20-2018

Opened a ticket with TAC wait for some updates. Psn with passive ID enabled only see the "site" DC w...

csco11552159 · 09-20-2018

we saw the same result for other domains. it seems site impacted PassiveID DCs....

csco11552159 · 09-20-2018

Recently we are trying to add new DCs into PassiveID list to use WMI monitoring. The problems how IS...

csco11552159 · 09-04-2018

i see. thank you. Do you know if there is a session limitation? Like Agent method, in the document m...

csco11552159 · 08-20-2018

Hi, do you know if i have PSN1 and PSN2 in same cluster, will both query same AD server? or PSN1 wil...

csco11552159 · 08-20-2018

Hi, if we are using WMI to monitor all our DCs( over 100 in 2 forests), the account we used for WMI ...

csco11552159 · 07-12-2018

so we have to change all our DC's registry to make it work ,right? will require the same setup for S...

csco11552159 · 07-11-2018

thank you. so if we manually created these keys, we can try to avoid "Full control", right ? regardi...

csco11552159 · 07-11-2018

these 2 keys: HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}HKLM\Software\Classes\Wo...

csco11552159 · 07-11-2018

i m following the PIC document: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_gui...

csco11552159 · 07-10-2018

thank you.i will send to FMC for now. hopefully some changes coming soon.

csco11552159 · 07-06-2018

hi John & Hsing-Tsu,So in order FMC to have correct User ID, port and IP mapping, TS-Agent directly ...

csco11552159 · 07-06-2018

Thank you.and on FMC, in this way will only keep the last user login.

Date Registered	‎02-15-2015 07:01 PM
Date Last Visited	‎12-05-2018 11:00 AM
Total Messages Posted	97
Total Helpful Votes Received	32

Re: PassiveID add Domain Controller (mi...

Re: PassiveID add Domain Controller (mi...

Re: PassiveID add Domain Controller (mi...

Re: PassiveID add Domain Controller (mi...

PassiveID add Domain Controller (missin...

Re: ISE PIC WMI Questions

Re: ISE PIC WMI Questions

ISE PIC WMI Questions

Re: PIC identity mapping question about...

Re: PIC identity mapping question about...

Re: PIC identity mapping question about...

PIC identity mapping question about DCO...

Re: ISE cannot sent TS port range to FM...

Re: ISE cannot sent TS port range to FM...

Re: ISE cannot sent TS port range to FM...

Re: PassiveID add Domain Controller (missing DC)

Re: PassiveID add Domain Controller (missing DC)

Re: PassiveID add Domain Controller (missing DC)

Re: PassiveID add Domain Controller (missing DC)

PassiveID add Domain Controller (missing DC)

Re: ISE PIC WMI Questions

Re: ISE PIC WMI Questions

ISE PIC WMI Questions

Re: PIC identity mapping question about DCOM and WMI Registry key

Re: PIC identity mapping question about DCOM and WMI Registry key

Re: PIC identity mapping question about DCOM and WMI Registry key

PIC identity mapping question about DCOM and WMI Registry key

Re: ISE cannot sent TS port range to FMC

Re: ISE cannot sent TS port range to FMC

Re: ISE cannot sent TS port range to FMC