Windows Server – ISE’s PassiveID Configuration

Cisco ISE’s PassiveID feature enables the Identity Services Engine (ISE) to gather identity information about users and devices on the network without directly participating in the authentication process. Instead of actively authenticating users, PassiveID passively collects information from other network components, such as domain controllers or security appliances, to identify users and devices as they connect to the network.

This feature is handy in scenarios where traditional 802.1X or MAB (MAC Authentication Bypass) methods are not feasible or where you want to monitor user activity without interrupting the user experience. PassiveID allows Cisco ISE to leverage existing authentication events, such as user logins to a Windows domain, to correlate network activity with specific users. This information can be used for policy enforcement, visibility, and reporting within ISE.

Using PassiveID, administrators can achieve higher network visibility and user identity tracking across the network, even in environments where not all devices support 802.1X authentication or where seamless user experience is a priority.

When configuring PassiveID between ISE and Active Directory, certain audit settings and permissions need to be set to allow ISE to read the security audit logs. In recent versions of ISE, ISE allows you to enter your Domain Administrator credentials into ISE and it will configure the settings on your domain controller for you. However, you may want to know what changes you will allow ISE to make to your domain controller before allowing it to do so. If so, this post is for you!

If you've ever configured Cisco Context Directory Agent, you're about to get a blast from the past! This is because the settings and permissions are almost exactly the same. The older Cisco ISE configuration guides even reference the CDA documentation when this feature was first introduced and link to the CDA configuration guide.

If you would like to review the full CDA documented requirements, feel free to browse here:
http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_install.html

I'll go through the requirements to set up PassiveID between your ISE server and Active Directory:

1. Make sure that you have network connectivity between your AD and ISE servers and that the ports referenced in the above config guide are open if there is a firewall or software firewall in the way
2. If you use a very old version of Windows Server, ensure the patches referenced in the CDA documentation are installed.
3. Ensure the GPO's Audit policy is correctly configured as detailed below.
4. Ensure that the user you are using to establish the connection between the ISE server and the AD Controller has sufficient permissions. There are different requirements for a Domain Admin and a non-Domain Admin, and you will have to make some changes to ensure both work. It's easier to do it with a Domain Admin account since a regular Domain User account requires a lot of changes. Still, in certain environments that have very tight RBAC requirements, it might be necessary to keep that separate of duties and have a service account for PassiveID integration. I will be using my Administrator account for my lab, but I'll go over the requirements for both Domain Admins and non-Domain Admins:
   1. For members of the Domain Admins, you will need to ownership of the following registry keys and give your domain admin account Full Control of the following keys:HKEY_CLASSES_ROOT\CLSID\HKLM\Software\Classes\Wow6432Node\CLSID\It's pretty easy for a Domain Admin account.
   2. For non-members of the Domain Admins group, you will need to do the following:
      1. Have a Domain Admin give the user account Full Control Permissions of the following registry keys:HKEY_CLASSES_ROOT\CLSID\HKLM\Software\Classes\Wow6432Node\CLSID\
      2. The user must have permission to use the DCOM on the domain controller.
         1. The admin can run the dcomcnfg tool from the CLI.
         2. Expand Component Services
         3. Expand Computers and click on My Computer
         4. Select Action from the menu bar, click on properties and click on COM Security
         5. Make sure the user account has Allow permissions for Access and Launch. The user account should be added to all four options (Edit Limits and Edit Default for both Access Permissions and Launch and Activation Permissions)
         6. Allow all Local and Remote access for both Access Permissions and Launch and Activation permissions
      3. User account needs to have permissions to the WMI Root\CIMv2 name space.
         1. Go to Start>Run and type wmimgmt.msc
         2. Right-click WMC Control and click Properties
         3. Under the Security tab, expand Root and choose CIMV2
         4. Click Security
         5. Add the user account and give the required permissions of Allow for Execute Methods, Enable Account and Remote Enable
      4. Access to Read the Security Event Log of the AD Domain controller – This can be done by adding the user to the Event Log Readers group in AD.
      5. For regular domain users to be used, certain registry keys need to be added manually to establish a valid connection between CDA and domain controllers to retrieve the users login authentication events. You can copy the following into a text file, rename it with .reg extension and double-click it to make the registry changes:Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\]"AppID"="" [HKEY_CLASSES_ROOT\AppID\]

         "DllSurrogate"=" "

         [HKEY_CLASSES_ROOT\Wow6432Node\AppID\] "DllSurrogate"=" "

         The owner of the keys must be the user account. Also, make sure that you include two spaces in the value of the key "DllSurrogate." Keep the empty line at the end of the script above

   3. The Active Directory user used by PassiveID can be authenticated either with NTLMv1 or NTLMv2. You can verify this or manually set it in your GPO.

Open up the Group Policy Management window. We must make the following changes to the audit policy to ensure that login events are correctly logged for PassiveID to work. Make the following changes to your GPO:

• Computer Configuration>Windows Settings>Security Settings> Local Policies>Audit Policies> Audit Account logon events: Check Define and Success
• Computer Configuration>Windows Settings>Security Settings> Local Policies>Audit Policies>Audit Logon Events: Check Define and Success
• Computer Configuration>Windows Settings>Security Settings>Advanced Audit Policy Configuration>Audit Policies>Account Logon>Audit Kerberos Authentication Service:Check Define and Success
• Computer Configuration>Windows Settings>Security Settings>Advanced Audit Policy  Configuration>Audit Policies>Account Logon>Audit Kerberos Service Ticket Operations:Check Define and Success
• Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options> Network Security:LAN Manager authentication level: Define and Send NTLM response only

After making those changes, close the domain policy. On the Group Policy Management window, right-click the policy you created and choose Enforced.

Go to the Start menu and type regedit to open the registry. There, you can take ownership of the following keys and give your Administrator account Full Control over them:

• HKEY_CLASSES_ROOT\CLSID\
• HKLM\Software\Classes\Wow6432Node\CLSID\

One thing to note: You should take ownership of these keys on every Active Directory server that users log in with.

This is quite a bit of work to do manually, so thankfully, ISE automated it for you through the ISE dashboard.