ISE and AD synchronization

superduperlopez — Mon, 11 Mar 2019 02:51:37 GMT

Hi all,

Just wondering if any one would know the answer to this one...

We have ISE linked to AD...all working well, however, when a user is given a certificate, the user won't be able to connect to the (wireless) network due to certificate problems.....after 1/2 hour to an hour, the user will be able to authenticate successfuly....without any futher intervention from IT Support.

Seems like ISE to AD sync issue.....does anyone know how often does the ISE pulls AD for information....?

Thanks in advance.

UUmmmm thinking about this though, ISE should check the User "state" in AD every time the user tries to Authenticate....so could we possibly be talking about an AD replication issue here instead of ISE to AD???

Re: ISE and AD synchronization

jw.sl9 — Wed, 05 Dec 2012 18:07:33 GMT

If you check your Authentiction details. You will probably see no certificate found for the user. There is an issue with distributed AD environments:

In a distributed environment, a delay occurs before any domain controller has received the certificates and CRLs through Active Directory replication. The delay will vary depending on the Active Directory environment configuration.

So I'd ask the AD guys, what replication type and schedule are they running? This can be troubleshot watching the Published Certificates tab of the user record. Open and close the record while enrolling and after to see when it shows up.

What you should see is something like this in ISE record details, Steps section:

12811 Extracted TLS Certificate message containing client certificate

12812 Extracted TLS ClientKeyExchange message

12813 Extracted TLS CertificateVerify message

12804 Extracted TLS Finished message

12801 Prepared TLS ChangeCipherSpec message

12802 Prepared TLS Finished message

12816 TLS handshake succeeded

12509 EAP-TLS full handshake finished successfully

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

Evaluating Identity Policy

15048 Queried PIP

15004 Matched rule

22037 Authentication Passed

12506 EAP-TLS authentication succeeded

11503 Prepared EAP-Success

As far as your question:

does anyone know how often does the ISE pulls AD for information....?

It only "Pulls" information when you populate the AD dictionary (Groups and/or User attributes) in External Identities.

As far as how often if performs a lookup. It performs a lookup for every authentication as required and every processing of an Authorization Policy rule that requires a reference to that specifc rule. (think of multiple situations for processing rules which in turn would result in CoA processings for the session)

So your comment:

good troubleshooting /thinking!

I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.
-James

Re: ISE and AD synchronization

manjeets — Wed, 22 May 2013 10:42:05 GMT

Kindly review the below link:

https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

topic ISE and AD synchronization in Network Access Control

ISE and AD synchronization

Re: ISE and AD synchronization

Re: ISE and AD synchronization