The passive identity agent identity source
The passive identity agent identity source sends session data from Microsoft Active Directory (AD) to the Secure Firewall Management Center. All you need is a supported Microsoft AD setup as described in Realms and realm sequences.
Passive identity agent roles
The passive identity agent supports these roles: Standalone, Primary, and Secondary.
Note |
You do not need to configure the Cisco Identity Services Engine (ISE) to use this identity source. |
For more information on these roles, refer to About passive identity agent roles.
Passive identity agent system requirements
The passive identity agent supports Windows Server 2016, 2019, 2022, and 2025 on Active Directory servers, and Windows 11 or later on domain-joined Windows clients. The system time must be synchronized across the Secure Firewall Management Center, domain controllers, and the agent host.
Refer to Passive identity agent system requirements for more information.
Passive identity agent limitations
The passive identity agent has these limitations:
-
Up to 10 agents simultaneously
-
A single passive identity agent identity source monitors up to 50 AD directories
-
Up to 300,000 concurrent user sessions
-
IPv6 addresses are not supported (passive identity agent 1.0)
-
IPv6 addresses are supported (passive identity agent 1.1)
Deploy the passive identity agent
For information about deployment options, see Deploy the passive identity agent.
Note |
We recommend you use the latest version of the passive identity agent. To see the available versions, go to software.cisco.com. To upgrade the passive identity agent, see Upgrade the passive identity agent software. |





















Feedback