cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
576
Views
0
Helpful
3
Replies

Passive ID with AD without installing the agent on every DC or using WMI

jwinnt
Level 1
Level 1

If you want to do PassiveID but due to various reasons, we cannot install the agent onto DCs or employ the WMI. We do have a member windows log server that the DC's send all their logs to.  Can we install the agent onto that member server to review the centralized DC's logs for PassiveID.  If not, I know that there is an option to use SPAN on Kerberos messages and syslog via MSAD DHCP.  What have you used or recommended when installing the agent onto DC's or using WMI is not an option for Passive ID? 


Thanks!

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

The agent will only look to monitor domain controllers in the deployment.  When you join ISE or PIC to AD, it will know which servers are DCs.  So even though you are forwarding all the security event logs to a member server, that member server is not an actual DC so it will not be an option for the Agent or WMI probe to monitor.

Your only options would be Kerberos SPAN or to forward security event logs via syslog to ISE or PIC while using a custom template.

Regards,

-Tim

View solution in original post

3 Replies 3

Timothy Abbott
Cisco Employee
Cisco Employee

The agent will only look to monitor domain controllers in the deployment.  When you join ISE or PIC to AD, it will know which servers are DCs.  So even though you are forwarding all the security event logs to a member server, that member server is not an actual DC so it will not be an option for the Agent or WMI probe to monitor.

Your only options would be Kerberos SPAN or to forward security event logs via syslog to ISE or PIC while using a custom template.

Regards,

-Tim

Thanks Tim.  Lets say that we go with the the syslog route using a custom template.  Are there any existing ISE deployments that are successfully using that setup for passive ID with AD? 

I know there are some that are considering using that as an option but I'm not aware of any currently in production.

Regards,

-Tim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: