Active Directory Agents
From ISE-PIC install the native 32-bit application, Domain Controller (DC) agents, anywhere on the Active Directory (AD) domain controller (DC) or on a member server (based on your configurations) to retrieve user identity information from AD and then send those identities to the subscribers you have configured. The Agent probe is a quick and efficient solution when using Active Directory for user identity information. Agents can be installed on a separate domain, or on the AD domain, and once installed, they provide status updates to ISE-PIC once every minute.
The agents can be either automatically installed and configured by ISE-PIC , or you can manually install them. Upon installation, the following occurs:
-
The agent and its associated files are installed at the following path: Program Files/Cisco/Cisco ISE PassiveID Agent
-
A config file called PICAgent.exe.config is installed indicating the logging level for the agent. You can manually change the logging level from within the config file.
-
The CiscoISEPICAgent.log file is stored with all logging messages.
-
The nodes.txt file contains the list of all nodes in the deployment with which the agent can communicate. The agent contacts the first node in the list. If that node cannot be contacted, the agent continues to attempt communication according to the order of the nodes in the list. For manual installations, you must open the file and enter the node IP addresses. Once installed (manually or automatically), you can only change this file by manually updating it. Open the file and add, change or delete node IP addresses as necessary.
-
The Cisco ISE PassiveID Agent service runs on the machine, which you can manage from the Windows Services dialog box.
-
The Active Directory agents are only supported on Windows Server 2008 and higher. If you cannot install agents, then use the Active Directory probe for passive identity services. For more information, see Active Directory as a Probe and a Provider.
Note |
Even if you are running the AD agent on a member server, it still queries the Active Directory for the login requests. |
Automatically Install and Deploy Active Directory Agents
Before you begin
-
Configure reverse lookup for the relevant DNS servers from the server side. For more information about the DNS server configuration requirements for ISE-PIC, see DNS Server
-
Ensure Microsoft .NET Framework is updated for the machine designated for the agents, to a minimum of version 4.0. For more information about the .NET framework, see https://www.microsoft.com/net/framework.
-
Create an AD join point and add at least one domain controller. For more information about creating join points, see Active Directory as a Probe and a Provider.
Use AD user groups for the AD, Agents, SPAN and Syslog probes. For more information about AD groups, see Configure Active Directory User Groups.
Procedure
Step 1 |
Choose . |
Step 2 |
To add a new agent, click Add from the top of the table. |
Step 3 |
To create the new agent and automatically install it on the host that you indicate in this configuration, select Deploy New Agent. |
Step 4 |
Complete all mandatory fields in order to configure the client correctly. For more information, see Active Directory Agent Settings. |
Step 5 |
Click Deploy. |
Step 6 |
Choose to view all currently configured join points. |
Step 7 |
Click the link for the join point from which you would like to enable the agent you created. |
Step 8 |
Choose the Passive ID tab to configure the domain controllers that you added as part of the prerequisites. |
Step 9 |
Select the domain controller that you would like to monitor with the agent you created and click Edit. |
Step 10 |
From the Protocol drop-down list, select Agent |
Step 11 |
Select the agent you created from the Agent drop-down list. Enter the user name and password credentials of the agent that you created, and click Save. The user name and password credentials are used to install the agent on the domain controller. Finally, when you click on Deploy, the picagent.exe is copied from /opt/pbis/bin to the specified Windows machine. |
Manually Install and Deploy Active Directory Agents
Before you begin
-
Configure reverse lookup for the relevant DNS servers from the server side. For more information about the DNS server configuration requirements for ISE-PIC, see DNS Server
-
Ensure Microsoft .NET Framework is updated for the machine designated for the agents, to a minimum of version 4.0. For more information about the .NET framework, see https://www.microsoft.com/net/framework.
-
Create an AD join point and add at least one domain controller. For more information about creating join points, see Active Directory as a Probe and a Provider.
Use AD user groups for the AD, Agents, SPAN and Syslog probes. For more information about AD groups, see Configure Active Directory User Groups.
Procedure
Step 1 |
Choose . |
Step 2 |
Click Download Agent to download the picagent-installer.zip file for manual installation. |
Step 3 |
Place the zip file on the designated host machine and run the installation. |
Step 4 |
From the ISE-PIC GUI, again choose . |
Step 5 |
To configure a new agent, click Add from the top of the table. |
Step 6 |
To configure the agent that you have already installed on the host machine, select Register Existing Agent. |
Step 7 |
Complete all mandatory fields in order to configure the client correctly. For more information, see Active Directory Agent Settings. |
Step 8 |
Click Save. |
Step 9 |
Choose to view all currently configured join points. |
Step 10 |
Click the link for the join point from which you would like to enable the agent you created. |
Step 11 |
Choose the Passive ID tab to configure the domain controllers that you added as part of the prerequisites. |
Step 12 |
Select the domain controller that you would like to monitor with the agent you created and click Edit. |
Step 13 |
From the Protocol drop-down list, select Agent. |
Step 14 |
Select the agent you created from the Agent drop-down list. Enter the user name and password to connect to the agent, and click Save The user account must have the necessary permissions to read security events. A user account for a WMI-based agent must have WMI/DCOM permissions. |
Uninstall the Agent
Procedure
Step 1 |
From the Windows dialog, go to Programs and Features. |
Step 2 |
Find and select the Cisco ISE PassiveID Agent in the list of installed programs. |
Step 3 |
Click Uninstall. |
Active Directory Agent Settings
Allow ISE-PIC to automatically install agents on a specified host in the network in order to retrieve user identity information from different Domain Controllers (DC) and deliver that information to ISE-PIC subscribers.
To create and manage agents, choose Automatically Install and Deploy Active Directory Agents.
. SeeField Name | Description |
---|---|
Name |
The agent name as you configured it. |
Host |
The fully qualified domain name of the host on which the agent is installed. |
Monitoring |
This is a comma separated list of domain controllers that the specified agent is monitoring. |
Field | Description | ||
---|---|---|---|
Deploy New Agent or Register Existing Agent |
|
||
Name |
Enter a name by which you can easily recognize the agent. |
||
Description |
Enter a description by which you can easily recognize the agent. |
||
Host FQDN |
This is the fully qualified domain name for the host on which the agent is installed (register existing agent), or is to be installed (automatic deployment). |
||
User Name |
Enter your user name in order to access the host on which to install the agent. ISE-PIC uses these credentials in order to install the agent for you. The user account must have permissions to connect remotely and install the PIC agent. |
||
Password |
Enter your user password in order to access the host on which to install the agent. ISE-PIC uses these credentials in order to install the agent for you. |