Cisco ISE Passive Identity Connector Data Sheet

Data Sheet

Available Languages

Download Options

  • PDF
    (192.6 KB)
    View with Adobe Reader on a variety of devices
Updated:June 3, 2024

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (192.6 KB)
    View with Adobe Reader on a variety of devices
Updated:June 3, 2024
 

 

The Cisco® ISE Passive Identity Connector consolidates multiple sources of authentication data into a single source of truth. It simplifies the installation of Cisco security products, and it offloads work from key infrastructure.

Product overview

Username is a key element in determining access to a network. Username can also help you alert you users to potentially suspicious activity with their devices. It answers the all-important question of who is connected to your network.

The Cisco Identity Services Engine (ISE) Passive Identity Connector centralizes, consolidates, and distributes identity information, including IP addresses, MAC addresses, and usernames. At the same time it offloads work from key infrastructure such as Microsoft Active Directory.

Many servers on the network are active participants in user authentication. They take user credentials and either verify them or look them up in a dedicated repository such as Active Directory. Rather than being actively involved in user authentication, the Passive Identity Connector listens to the various authentication servers on the network. It centralizes the authentication information, becoming the single source of truth for its subscribers.

The Passive Identity Connector distributes the session identity information to other devices on the network that are natural consumers of such information. These devices include firewalls, web security appliances, and traffic analyzers. Using the Cisco Platform Exchange Grid (pxGrid), the Cisco ISE Passive Identity Connector can support up to 20 subscribers.

pxGrid enhancements found in Cisco ISE 3.3 gives a Network Admin the ability to peer into the network and locate the data needed to optimize their network and boost efficiency. Network attributes are displayed in a manner that frames the data in ways that customers can truly use, so that they are able to run their network security more effectively, leading to safer networks and less time spent on translating data.

In addition, two new enhancements in the Cisco ISE 3.4 release strengthens the synergy between Cisco ISE and pxGrid.

1.     Customers can immediately synchronize data from pxGrid Direct Connectors. Prior to this release Cisco ISE can synchronize a full data base update once a week or less (minimum once every 12 hours), with incremental updates every day (incremental updates minimum once every hour). With immediate synchronization, there is no longer a need to wait until once a week or the end of the day. Any and all updates can be made immediately without waiting.

2.     The server has been granted the ability to push updates immediately to Cisco ISE. This new feature is called pxGrid Direct Push and will allow a continuous synchronization of Cisco ISE without any lag. In other words, whenever a single record is adjusted, the server will send the change immediately to Cisco ISE.

Features and benefits

Feature

Benefit

Centralized information

Consolidates data from multiple authentication sources, eliminating the need for every system that requires authentication data to interact with every authentication source

Improved performance

Eliminates the burden on an often-overtaxed infrastructure with a single system that caches data for other authentication data consumers

Syslog server support

Gathers authentication data from systems that support syslog

Active Directory support

Gathers authentication data from Active Directory through the Microsoft Windows Management Interface (WMI)

Kerberos SPAN support

Gathers Active Directory authentication data from switches supporting Kerberos SPAN

Endpoint probes

Understands when endpoints log off

Active Directory agent

Gathers authentication data from up to 10 Microsoft Active Directory domain controllers

Support for custom APIs

Gathers authentication data from systems that support a custom interface

Citrix Terminal Server support

Gathers authentication data from Citrix Terminal Server

High availability

Supports active/passive redundancy

Migration support

Customers may upgrade from the Cisco ISE Passive Identity Connector to Cisco ISE, adding the Passive Identity Connector node to an existing Cisco ISE cluster.

Virtual machine support

Supports KVM, VMware, and Hyper-V

Scalability

Tailored to fit your organization with support for 3,000 and 300,000 sessions

Microsoft active directory integration

The Cisco ISE Passive Identity Connector can gather session data from many authentication servers on the network but arguably none is more important than the Microsoft Active Directory. The Passive Identity Connector can gather information from up to 100 domain controllers either using the Microsoft Windows Management Interface (WMI), through a Cisco Active Directory agent installed on each domain controller, through the use of a Switched Port Analyzer (SPAN) port, or through syslog. The Microsoft WMI interface has the advantage of not requiring any additional software to be installed on the domain controllers. The Active Directory agent can gather information from up to 10 domain controllers. It requires no configuration changes on the domain controller and can be installed on either a domain controller or a member server.

For those who want to limit the load on their Active Directory infrastructure or who simply want a quick and easy way to retrieve data without having to configure the Active Directory, the Cisco ISE Passive Identity Connector offers the ability to gather session data through the use of a SPAN port. SPAN sniffs network traffic, specifically examining Kerberos messages. It extracts user identity information also stored by the Active Directory and sends that information to the Passive Identity Connector.

Predefined and user-definable syslog parsers

There are numerous sources of identity on the network and countless ways to interface with them, creating an impossible combination. The Cisco ISE Passive Identity Connector overcomes this challenge by providing a generic syslog parser. Customers can point syslog agents on the authentication servers to the Passive Identity Connector for it to parse out the identity information.

The syslog parser can support both a countless variety of syslog message formats by using regular expressions to tease out the syslog messages containing authentication information. Different header types are also no problem for the Passive Identity Connector, which uses the same regular expression capability for the headers as well. In addition to a generic syslog parser, the Passive Identity Connector provides predefined parsers, including those from Cisco ISE, the Cisco Secure Access Control System (ACS), the Cisco Adaptive Security Appliance (ASA) VPN, Aerohive, BlueCat, Blue Coat, F5 VPN, InfoBlox, Lucent QIP, Nortel VPN, and Safe Connect.

Application programming interface

The Cisco ISE Passive Identity Connector provides a custom API for applications that publish session data but not using syslog.

Terminal server support

The Cisco ISE Passive Identity Connector provides the ability to gather session information from a Citrix terminal server environment by using an agent installed on the terminal server.

Standalone and high-availability configurations

The Cisco ISE Passive Identity Connector can operate standalone or may be paired with a second virtual machine for high availability. The primary updates the secondary in the high-availability configuration operating in an active/passive environment.

Hardware solutions

Customers looking for a hardware solution from Cisco may purchase the Secure Network Server (SNS) 3715, SNS 3755 or 3795 Appliances with Cisco ISE version 2.2 or later. The SNS 3715 can support up to 25,000 concurrent active endpoints supported by a dedicated PSN (12,500 supported by a shared PSN), the SNS 3755 can support up to 50,000 concurrent active endpoints supported by a dedicated PSN (25,000 supported by a shared PSN) and the SNS 3795 can support up to 100,000 concurrent active endpoints supported by a dedicated PSN (50,000 supported by a shared PSN).

Upgrades to ISE

Customers may upgrade from the Cisco ISE Passive Identity Connector to Cisco ISE by adding the Passive Identity Connector node to an existing Cisco ISE cluster. Customers may also upgrade the Passive Identity Connector to a standalone Cisco ISE instance with the appropriate licenses. This is all accomplished through the installation of licenses and does not require any additional software to be installed. You can thus protect your investment as your business needs expand and do so without a substantial investment from the IT staff.

Product specifications

Maximum number of Microsoft Active Directory domain controllers supported using WMI or an Active Directory agent

100

Maximum recommended number of Microsoft Active Directory domain controllers supported per Active Directory agent when installed on a Microsoft Active Directory domain controller

1

Maximum recommended number of Microsoft Active Directory domain controllers supported per Active Directory agent when installed on a member server

10

Maximum number of pxGrid subscribers

20

Maximum number of nodes per Cisco ISE Passive Identity Connector cluster

2

Maximum number of REST API providers

50

Maximum number of syslog clients

50

Maximum number of SPAN ports

1 with a single standalone machine, 2 in a high-availability cluster

System requirements

Hypervisor

VMware version 8 for ESXi 5.x, VMware version 11 (default) for ESXi 6.x, KVM on Red Hat Enterprise Linux 7.0, or Microsoft Hyper-V

CPU

6 cores; 2.0 GHz or faster – up to 100,000 sessions
8 cores; 2.0 GHz or faster – up to 300,000 sessions

Memory

16 GB – up to 100,000 sessions
64 GB – up to 300,000 sessions

Disk

Minimum 200 GB

Ordering information

The Passive Identity Connector Q&A will help you understand ISE passive identity and the licensing types that will best serve the needs of your organization. To place an order, visit the Cisco ordering homepage. To download the ISE Passive Identity Connector software, visit the Cisco Software Center.

Part #

Product Description

R-ISE-PIC-VM-K9=

ISE Passive Identity Connector 3,000 session Virtual Machine

L-ISE-PIC-UPG=

ISE Passive Identity Connector – upgrade to maximum 300,000 sessions

Warranty information

The Cisco ISE Passive Identity Connector has a 90-day limited liability warranty. Warranty information can be found at: https://www.cisco.com/go/warranty.

Cisco and partner services

Cisco offers a wide range of service programs. These innovative programs are delivered through a combination of people, processes, tools, and partners that results in high levels of customer satisfaction. Cisco Services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services or Cisco Security Services. For more information, please visit https://www.cisco.com/go/services.

Cisco Capital

Flexible payment solutions to help you achieve your objectives

Cisco Capital® makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

How to buy

To view buying options and speak with a Cisco sales representative, visit https://www.cisco.com/c/en/us/buy.html.

For more information

For more information about the Cisco ISE solution, visit https://www.cisco.com/go/ise or contact your local account representative.

Document history

New or revised topic

Described in

Date

Cisco ISE Passive Identity Connector

Page 3 Product overview

May, 2024

 

 

 

Learn more