topic Re: ISE adding Domain Controllers to black list in Network Access Control

ISE adding Domain Controllers to black list

Arne Bier — Thu, 22 Feb 2018 01:01:39 GMT

Hello

I have joined my ISE 2.3p1 to an AD forest which has two way trust relationship with a bunch of other AD forests.

As you can see below I have selectively white listed a subset of these forests for my Authentication. Two of those non-white listed domains (cap and devcap) are causing ISE to complain.

Q1: Why do I constantly see this stuff in the ISE CLI logs? I didn't blacklist them, and I don't see this for any other domain that I haven't white listed either. What is the difference between blacklisting and simply not using them?

06/02/2018 06:16:13,WARNING,140182414153472,Added to black list: domain=devcap.******** DC=a04wndm31.devcap.******** addr=161.143.153.140 TTL=06:16:23 reason=Network,lwadvapi/threaded/dcmanager.cpp:269

06/02/2018 06:16:16,WARNING,140182414153472,Added to black list: domain=cap.******** DC=a04wpdm61.cap.******** addr=161.143.155.22 TTL=06:16:26 reason=Network,lwadvapi/threaded/dcmanager.cpp:269

This stuff is clogging my Splunk database and those guys charge by the MB

Q2: I don't see a value for the Forest column for those two domains. Is that a problem for ISE? All the other domains have a forest value displayed.

I ran Diagnostic Tool (all tests) and I got no errors at all.

Re: ISE adding Domain Controllers to black list

Nidhi — Thu, 22 Feb 2018 15:18:40 GMT

ISE will blacklist a domain controller if there is some network error so that ISE does not use the bad DC and discovery is triggered to find a better DC.

apart from any network connectivity issue, it is also possible that the firewall is dropping the packets.

More troubleshooting is needed here to find the case of this. Would suggest to engage TAC to find the root cause of it.

I will be researching more for the 2nd question.

Thanks,

Nidhi

Re: ISE adding Domain Controllers to black list

hslai — Sat, 24 Feb 2018 15:06:07 GMT

For the two domains showing no forest, it's probably due to ISE unable to discover such info through DNS and/or Global Catalog queries. As they are not used for authentications, it should have no impact without forest info.

Re: ISE adding Domain Controllers to black list

Arne Bier — Wed, 04 Apr 2018 03:55:41 GMT

Hello again

I am still seeing these SYSLOGs on a daily basis. I have asked my customer about these two domains but no response yet.

The constant SYSLOG events that I am seeing are (and related to the two domains I don't care about)

INFO AD-Connector: DC removed from black list
INFO AD-Connector: DC added to black list
ERROR AD-Connector: DC discovery failed

I have joined ISE to a domain controller that has many two-way trust relationships.

I whitelisted only those domains that I can access for authentication.

I did NOT whitelist these two domains that are causing me grief. Yet it seems that ISE is going behind my back and trying to be overly clever. The result is a constant stream of SYSLOGs to Splunk. Why can't it simply ignore the domains that I explicitly didn't whitelist?