Install the Passive Identity Agent Software

This task discusses how to install the passive identity agent software. For a simple installation, you can install it on your Microsoft Active Directory (AD) domain controller; for other options, see Deploy the Passive Identity Agent.

Before you begin

See Get an API Token for the Passive Identity Agent.

Make sure your systems meet the following requirements:

If you install it on a Windows Active Directory server, the server must run Windows Server 2008 or later.
If you install it on a Windows client attached to the domain, the client must run Windows 8 or later.
The system clock on all systems must be synchronized. We strongly recommend using the same NTP servers on all of them. This means:
- The Security Cloud Control.
  
  For more information, see Configure NTP Server.
- All Windows Active Directory servers and domain controllers.
- The machine on which the passive identity agent is installed.
Security Cloud Control must run November 8, 2024 or later.
You must enable Snort 3 on the Secure Firewall Threat Defense devices.

Procedure

Step 1

Download the passive identity agent from software.cisco.com.

Step 2

Step 3

Double-click CiscoPassiveIdentityAgentInstaller-1.0.msi .

Step 4

Click Next.

Step 5

Choose a folder in which to install the passive identity agent and click Next.

The default installation folder is Program Files\Program Files (x86)\Cisco\Cisco Passive Identity Agent .

Step 6

Click Next.

Step 7

Click Install.

Step 8

When the installation is done, click Finish and optionally check the box to start the passive identity agent.

Step 9

When the passive identity agent starts, click the On-Prem tab if you are using the agent with an on-premises Secure Firewall Management Center (physical or virtual) or click the Cloud tab if you are using the agent with Security Cloud Control.

Step 10

In the Cisco Passive Agent dialog box, enter the following information:


Item	Description
FMC FQDN / IP Address	Enter the fully qualified domain name or IP address of the Cloud-delivered Firewall Management Center on which you created the passive identity agent identity source. The passive identity agent supports IPv4 addresses and fully qualified domain names only. IPv6 addresses are not supported.
Token	Enter the API token you found in Get an API Token for the Passive Identity Agent.
Agent	Click the list to locate the domain controller of the passive identity agent you created previously on the Cisco Security Cloud Control.

Step 11

Click the Agent list.

Step 12

From the list, click the name of the domain controller to monitor.

Step 13

Click Test.

The following figure shows an example.

Make sure you test the connection before you save the configuration.

Step 14

Only if the test succeeds, click Save.

What to do next

Specify users to control and other options using an identity policy as described in Create an Identity Policy.
Associate the identity rule with an access control policy, which filters and optionally inspects traffic, as discussed in Associating Other Policies with Access Control.
Deploy your identity and access control policies to managed devices as discussed in Deploy Configuration Changes.
Monitor user activity .