Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
17990
Views
19
Helpful
5
Comments

ISE-PIC FAQ

Timothy Abbott
Cisco Employee
Cisco Employee

‎10-21-2016 10:40 AM - edited ‎02-21-2020 10:01 PM

General:

Q: What is the Cisco ISE Passive Identity Connector?

A: The Cisco ISE Passive Identity Connector is designed to gather authentication data from numerous sources of information in the data center, consolidate the authentication data into a single source of truth, and disseminate it to its subscribers.

Q: Why not have the subscribers gather the authentication data from all the sources in the data center?

A: That makes perfect sense with one or two systems gathering authentication data from the data center but it does not scale. The Cisco ISE Passive Identity Connector minimizes the burden on the authentication servers in the data center and on the subscriber systems. It also minimizes the burden on the IT staff having to configure the details for multiple authentication servers on the subscriber systems not to mention different user interfaces and functionality that is bound to creep into the mix.

Q: How does the Cisco ISE Passive Identity Connector compare to the Cisco Identity Service Engine?

A: The Cisco ISE Passive Identity Connector is a subset of the functionality offered with the Cisco Identity Services Engine. The Cisco ISE Passive Identity Connector only support the passive ID functionality contained in the Identity Services Engine.

Q: How does the Cisco ISE Passive Identity Connector compare to the Cisco Context Directory Agent?

A: The Cisco ISE Passive Identity Connector is designed to support a variety of authentication sources and to provide investment protection offering additional services by upgrading to the Cisco Identity Services Engine.

Q: I have the Cisco Identity Services Engine in production today. Does it support the passive identity capabilities contained in the ISE Passive Identity Connector?

A: Yes, the Cisco ISE Passive Identity Connector functionality is contained in the Cisco Identity Services Engine starting with version 2.2.

Q: Does the Cisco ISE Passive Identity Connector support RADIUS, guest, profiling, and posture functionality.

A: No, the Cisco ISE Passive Identity Connector does not offer any additional functionality beyond passive ID.

Q: How does the Cisco ISE Passive Identity Connector gather data from other servers in the data center?

A: The Cisco ISE Passive Identity Connector gathers information from the Microsoft Active Directory environment using Microsoft Windows Management Interface, Active Directory Agent, or through a SPAN port on a switch. The Cisco ISE Passive Identity Connector can also gather authentication information through syslogs, a Citrix terminal server agent, and through a custom API.

Q: What is the maximum number of sessions supported by the Cisco ISE Passive Identity Connector?

A: The Cisco ISE Passive Identity Connector can be licensed to support up to 300,000 sessions.

Q: Can the Cisco ISE Passive Identity Connector be clustered to scale beyond 300,000 sessions?

A: No, the Cisco ISE Passive Identity Connector is not capable of scaling by linking multiple machines together. 

Q: How does the Cisco ISE Passive Identity Connector know when a user logs off?

A: The Cisco ISE Passive Identity Connector supports a Microsoft Windows user agent that will send a notification when the user logs off.

Microsoft Active Directory:

Q: What is the maximum number of Microsoft Active Directory domain controllers that the Cisco ISE Passive Identity Connector can support?

A: The Cisco ISE Passive Identity Connector is limited to a maximum of 100 domain controllers

Q: What technologies can the Cisco ISE Passive Identity Connector leverage to gather authentication data from Microsoft Active Directory domain controllers?

A: The Cisco ISE Passive Identity Connector can leverage the Microsoft Windows Management Interface (WMI), an Active Directory (AD) Agent installed on a domain controller, an Active Directory (AD) Agent installed on a member server, or gather Kerberos data from a SPAN port on a switch 

Q: What are the advantages of installing an Active Directory Agent on a server that is a member of a given domain?

A: The Cisco ISE Passive Identity Connector can monitor up to 10 domain controllers when the Active Directory Agent is installed on a domain member server.

Q: What are the advantages of using the Microsoft WMI interface with the Cisco ISE Passive Identity Connector?

A: No software is installed on the domain controller when using the Microsoft WMI interface.

Q: What are the advantages of installing an Active Directory Agent directly on a domain controller?

A: The Active Directory Agent is self-contained. No traces of the agent remain should it be removed from the domain controller.

Q: When would it be beneficial to use a SPAN port in lieu of either Microsoft WMI or Active Directory Agent?

A: A SPAN port is recommended when the Microsoft Active Directory domain infrastructure is heavily burdened and is unable to support any additional load.

Q: How many SPAN ports are supported by the Cisco ISE Passive Identity Connector?

A: The Cisco ISE Passive Identity Connector supports one SPAN port when configured in standalone mode and two SPAN ports when configured in high availability mode.

Syslog Parser:

Q: Does the Cisco ISE Passive Identify Connector support both UDP and TCP syslogs?

A: Yes, the Cisco ISE Passive Identity Connector can consume both UDP and TCP syslogs.

Q: Does the Cisco ISE Passive Identity Connector support the creation of custom syslog templates?

A: Yes, the Cisco ISE Passive Identity Connector supports the use of custom syslog templates.

Q: Does the Cisco ISE Passive Identify Connector come with any syslog templates out of the box?

A: Yes, the Cisco ISE Passive Identity Connector supports the following templates out of the box: Cisco Access Control Server (ACS), Cisco Adaptive Security Appliance (ASA), Cisco Identity Services Engine (ISE), Aerohive, BlueCat, DHCPD, F5 VPN, Infoblox, Lucent QIP, MSAD DHCP, Nortel VPN, and Safe Connect NAC.

Q: Can the Cisco ISE Passive Identity Connector support different syslog headers?

A: Yes, both the header and the body of the syslog message can be customized as part of an individual syslog template with the Cisco ISE Passive Identity Connector.

High Availability:

Q: Does the Cisco ISE Passive Identity Connector offer a high availability configuration?

A: Yes, the Cisco ISE Passive Identity Connector can be used in either a standalone configuration or as part of a high availability pair.

Q: Is the Cisco ISE Passive Identity Connector active / active or active / passive when operating in high availability mode?

A: The Cisco ISE Passive Identity Connector operates in high availability mode using an active / passive concept. The primary node is active with the secondary node as a hot standby.

Q: What is the maximum number of sessions that a Cisco ISE Passive Identity Connector can support when it is configured for high availability?

A: A Cisco ISE Passive Identity Connector licensed for up to 3,000 sessions will support 3,000 sessions in either standalone or high availability modes. A Cisco ISE Passive Identity Connector licensed for up to 300,000 sessions will support 300,000 sessions in either standalone or high availability modes.

Ordering / Upgrade:

Q: How is the Cisco ISE Passive Identity offered?

A: The Cisco ISE Passive Identity Connector is offered in a virtual machine form factor.

Q: How is the Cisco ISE Passive Identity Connector licensed?

A: The Cisco ISE Passive Identity Connector license is for up to 3,000 sessions.  There is an upgrade license for up to 300,000 sessions?

Q: Does Cisco offer the Cisco ISE Passive Identity Connector as a hardware solution.

A: No, the Cisco ISE Passive Identity Connector is only offered as a virtual machine. If you would like a hardware solution from Cisco, you would need to purchase the Cisco Identity Services Engine. The Cisco Identity Services Engine is offered either as a virtual or physical appliance.

Q: Can the Cisco ISE Passive Identity Connector be converted to the Cisco Identity Services Engine at a later point in time?

A: Yes, a Cisco ISE Passive Identity Connector licensed for 300,000 sessions may be joined to an existing Identity Services Engine cluster. A 300,000 session Cisco ISE Passive Identity Connector may be used as the basis for a new Identity Services Engine cluster by adding Identity Services Engine base licenses.

Comments
gbekmezi-DD
Level 5
Level 5
‎02-20-2018 09:45 PM

Does ISE PIC have to be licensed for 300,000 sessions before it can be upgraded with base licenses to a standard ISE node?  The Q&A on this topic is a little confusing to me.

markus.albisser1
Level 1
Level 1
‎02-25-2020 05:25 AM

Hi Timothy

 

Thank you for these FAQs, one additional question I have, how many different Microsoft AD domains can the ISE PIC handle in parallel? So that the DCs from different domains (not within the same forest) can be queried to authenticate users from these domains?

 

Thank you

Markus

markus.albisser1
Level 1
Level 1
‎03-12-2020 01:12 AM

Hi Timothy

 

Did you had the chance to check my question about the number of AD domains/forests can be handled with one ISE-PIC? In the data sheet we only can see that there are 100 DCs supported, but are they all from the same domain or from multiple domains?

 

Thanks

Markus

thomas
Cisco Employee
Cisco Employee
‎03-12-2020 10:16 AM

Please submit questions to the NAC Community board @ http://cs.co/nac-community

Fantas
Level 1
Level 1
‎03-31-2020 11:29 AM

Hi,

 

How to find ISE PIC SKU Info If wana buy License.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents