This document describes how to configure and troubleshoot Identity Services Engine Passive Identity Connector (ISE PIC) deployment with Active Directory Windows Management Instrumentation (AD WMI) provider. ISE PIC is a lightweight ISE version which focuses on Passive ID features.
ISE PIC is a single ID solution for all Cisco Security Portfolio which uses passive identity only. It means that authorization or policies cannot be configured on ISE PIC. It supports different Providers (Agents, WMI, Syslog, API) and can be integrated via REST API. It has abilities to query endpoints (Is User logged in? Is endpoint still connected?)
Cisco recommends that you have basic knowledge of these topics:
Cisco Identity Service Engine
Microsoft Active Directory
The information in this document is based on these software and hardware versions:
Cisco Identity Service Engine Passive Identity Connector version 188.8.131.520
Microsoft Windows 7 Service Pack 1
Microsoft Windows Server 2012 r2
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Maximum amount of nodes in ISE PIC deployment is 2. This example shows how to configure the ISE PIC deployment for High Availability, so 2 Virtual Machines (VMs) are used. In an ISE PIC deployment, nodes can have roles: Primary and Secondary. In this only one node can be Primary at a time and roles can only be changed manually through GUI. In case of Primary failure all features still run on Secondary except for UI. Only manual promotion to Primary enables the UI.
This example shows how to configure WMI Provider for Active Directory. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. WMI is Microsoft's implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards from the Distributed Management Task Force (DMTF).
Note: More information about WMI can be found on official Microsoft site: About WMI
The information in the document uses the network setup shown in the image:
Login to PC and get authenticated on AD.
WMI notifies ISE PIC about this authentication.
ISE adds binding Username:IP_Address to its Session Directory.
ISE retrieves User's Groups and Attributes from AD.
ISE saves this information into its Session Directory.
Every 4 hours (not configurable) ISE PIC runs Endpoint Probe:
First it tries WMI to the Endpoint.
If WMI fails then ISE PIC runs ISEExec. It queries the Endpoint for the User and enable WMI for next time.
Also ISE PIC retrieves MAC address of the Endpoint and OS type.
On ISE PIC it is possible only to Enable/Disable Endpoint Probes. Primary node queries all the endpoints, Secondary node is for High Availability only.
Configure ISE PIC Deployment
Step 1 (Optional). Install Trusted Certificates.
Full chain of certificates of your Certificate Authority (CA) should be installed to ISE trusted store. Login to ISE PIC GUI and navigate to Certificates > Certificates Management > Trusted Certificates. Click Import and select your CA's certificate from your PC.
As shown in the image, click Submit to save changes. Repeat this step for all certificates of the chain. Repeat steps on the secondary node as well.
Step 2 (Optional). Install System Certificates.
Option 1. Certificates already generated by CA along with private key.
Navigate to Certificates > Certificates Management > System Certificates and click Import. Select Certificate File and Private Key File, enter the Password field if private key is encrypted.
As shown in the image check Usage options:
Note: Since ISE PIC is based on ISE code and can easily be converted to full-featured ISE with appropriate licenses, all usage options are available. Roles such as EAP Authentication, RADIUS DTLS, SAML and Portal are not used by ISE PIC.
Click Submit to install certificate. Repeat this procedure on a secondary node as well.
Note: All services on the ISE PIC node restarts after server certificate import.
Option 2. Generate Certificate Signing Request (CSR), sign it with CA and bind on ISE.
Navigate to Certificates > Certificates Management > Certificate Signing Requests page and click Generate Certificate Signing Requests (CSR).
Select the node and usage, enter the other fields if required:
Click Generate. New window pops up with an option to Export generated CSR:
Click Export, save generated *.pem file and sign it with CA. Once CSR is signed navigate back to Certificates > Certificates Management > Certificate Signing Requests page, select your CSR and click Bind Certificate:
Select the certificate which was signed with your CA and click Submit to apply changes:
All services on the ISE PIC node restart after you click Submit to install certificate.
Step 3. Add secondary node to the deployment.
ISE PIC allows to have 2 nodes in a deployment for High Availability. It does not require to have a two-way trust of certificates (comparing to usual ISE deployment). In order to add a secondary node to the deployment, navigate to Administration > Deployment page on your primary ISE PIC node, as shown in the image:
Enter Fully Qualified Domain Name (FQDN) of the secondary node, administrator credentials of that node and click Save. In case primary ISE PIC node is not able to verify admin certificate of the second node it asks for confirmation before it installs that certificate in trusted store.
In such case click Import Certificate and Proceed in order to join the node to the deployment. You should get a notification that the node is added successfully. All services on the secondary node restarts.
Within 10-20 minutes nodes should be synchronised and status of the node should change from
Configure Active Directory Providers
ISE PIC uses Windows Management Instrumentation (WMI) to collect information about sessions from AD and acts like a Pub/Sub communitation, which means:
ISE PIC subscribes to certain events
WMI alerts ISE PIC when those events occur:
4768 (Kerberos Ticket Granting) and 4770 (Kerberos Ticket Renewal)
Entries in Session Directory expire (Purge)
Step 1. Join ISE PIC to the domain.
In order to join ISE PIC to the domain, navigate to Providers > Active Directory and click Add:
Fill Join Point Name and Active Directory Domain fields and click Submit to save changes. Join Point Name is a name which is used in ISE PIC only. Active Directory Domain is the name of the domain where ISE PIC should be joined and it should be resolvable with DNS server configured on ISE PIC.
After creation of Join Point ISE PIC should ask you if you would like to join nodes to the domain. Click Yes. A window should pop up for you to provide credentials to join the domain:
Fill Domain Administrator and Password fields and click OK.
Even though the field is called Domain Administrator it is not necessary to use administrator user to join ISE PIC to the domain. This user should have sufficient privileges to create and remove machine accounts in the domain, or alter the passwords for previously created machine accounts. Active Directory account permissions required for performing various operations can be found in this document.
However it is requiredto use Domain Administrator credentials during join if you would like to use WMI. Config WMI option requires:
Permissions to use DCOM
Permissions to use WMI Remotely
Access to read the Security Event Log of the AD Domain Controlle
Windows Firewall must allow traffic from/to ISE PIC (corresponding Windows Firewall policies will be created during Config WMI)
Note: Store Credentials is always be enabled on ISE PIC since it is required for Endpoint Probes and WMI configuration. ISE stores them encrypted internally.
As shown in the image, ISE PIC shows the result of the operation in a new window:
Set Permissions When AD User in the Domain Admin Group
For Windows 2008 R2,Windows 2012, and Windows 2012 R2, the Domain Admin group does not have full control on certain registry keys in the Windows operating system by default. The Active Directory admin must give the Active Directory user Full Control permissions on the following registry key
Example of endpoint check from passive-endpoint.log (in this case the endpoint was unreacheable from ISE):
2017-02-23 13:48:29,298 INFO [EndPointProbe-Workers-Check-2] com.cisco.idc.endpoint-probe- [PsExec-10.48.26.51] is User=vkumov.local/Administrator Still There ? ...
2017-02-23 13:48:32,335 INFO [EndPointProbe-Workers-Check-2] com.cisco.idc.endpoint-probe- [PsExec-10.48.26.51] Identity check result is - > Endpoint UNREACHABLE
Common issue: ISE PIC throws "Unable to run executable on <DC name>..." error
If user which is used to join ISE PIC to the domain does not have enough permissions, ISE PIC throws a error during WMI configuration:
Appropriate debugs can be found at ad_agent.log file (Active Directory log level should be set to DEBUG):
26/02/2017 19:15:45,VERBOSE,139954093012736,SMBGSSContextNegotiate: state = 1,lwio/server/smbcommon/smbkrb5.c:460
26/02/2017 19:15:45,VERBOSE,139956055955200,Session 0x7f49bc001430 is eligible for reaping,lwio/server/rdr/session2.c:290
26/02/2017 19:15:45,VERBOSE,139954101405440,Error at ../../lsass/server/auth-providers/ad-open-provider/provider-main.c:7503 [code: C0000022],lsass/server/auth-providers/ad-open-provider/provider-main.c:7503
26/02/2017 19:15:45,VERBOSE,139954101405440,Extended Error code: 60190 (symbol: LW_ERROR_ISEEXEC_CP_OPEN_REMOTE_FILE),lsass/server/auth-providers/ad-open-provider/provider-main.c:7627
26/02/2017 19:15:45,VERBOSE,139954101405440,Error at ../../lsass/server/auth-providers/ad-open-provider/provider-main.c:7628 [code: C0000022],lsass/server/auth-providers/ad-open-provider/provider-main.c:7628
26/02/2017 19:15:45,VERBOSE,139954101405440,Error code: 5 (symbol: ERROR_ACCESS_DENIED),lsass/server/auth-providers/ad-open-provider/provider-main.c:7782
26/02/2017 19:15:45,VERBOSE,139954101405440,Error code: 5 (symbol: ERROR_ACCESS_DENIED),lsass/server/auth-providers/ad-open-provider/provider-main.c:7855
26/02/2017 19:15:45,VERBOSE,139954101405440,Error code: 5 (symbol: ERROR_ACCESS_DENIED),lsass/server/api/api2.c:2713
26/02/2017 19:15:45,VERBOSE,139956064347904,(session:ee880a4e15e682f4-08401b84f371a140) Dropping: LWMSG_STATUS_PEER_CLOSE,lwmsg/src/peer-task.c:625
26/02/2017 19:15:50,VERBOSE,139956055955200,RdrSocketRelease(0x7f496800b6e0, 38): socket is eligible for reaping,lwio/server/rdr/socket.c:2239
Actions to take: Re-join ISE PIC nodes to the domain with Domain Administrator credentials or add the user which is used for join operation to Domain Admins group in the AD.