The Passive Identity Agent Identity Source
The passive identity agent identity source sends session data from Microsoft Active Directory (AD) to the Cisco Security Cloud Control. All you need is a supported Microsoft AD setup as discussed in About Realms and Realm Sequences.
Note |
You do not need to configure the Cisco Identity Services Engine (ISE) to use this identity source. |
Passive identity agent roles
The passive identity agent supports the following roles:
-
Standalone: A passive identity agent that is not part of a redundant pair. A standalone agent can download users and groups from multiple Active Directory servers and domain controllers, provided the software is installed on all of them.
-
Primary: (Primary agent in a redundant pair.) Can be installed on a Microsoft AD domain controller, directory server, or any network client.
Handles all communication with the Cloud-delivered Firewall Management Center unless it stops communicating, in which case communication is handled by secondary agents.
-
Secondary: (Secondary, or backup, agent in a redundant pair.) Can be installed on a Microsoft AD domain controller, directory server, or any network client.
Monitors the health of the primary agent and takes over if the primary agent stops communicating with the Cloud-delivered Firewall Management Center.
Passive identity agent system requirements
The passive identity agent requires the following:
-
If you install it on a Windows Active Directory server, the server must run Windows Server 2008 or later.
-
If you install it on a Windows client attached to the domain, the client must run Windows 8 or later.
-
The system clock on all systems must be synchronized. We strongly recommend using the same NTP servers on all of them. This means:
-
The Security Cloud Control.
For more information, see Configure NTP Server.
-
All Windows Active Directory servers and domain controllers.
-
The machine on which the passive identity agent is installed.
-
-
Security Cloud Control must run November 8, 2024 or later.
-
You must enable Snort 3 on the Secure Firewall Threat Defense devices.
Passive identity agent limitations
The passive identity agent the following limitations:
-
Up to 10 agents simultaneously
-
One passive identity agent identity source can monitor up to 50 AD directories
-
Up to 300,000 concurrent user sessions
-
IPv6 addresses are not supported
Deploy the passive identity agent
For information about deployment options, see Deploy the Passive Identity Agent.