https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086270#M560444 <P>In general yes - that is the case. If you want to limit the connection rates to AD for EAP-PEAP, then you can enable a feature in ISE called Fast-Reconnect - this will cache the last Authentication status of that user for a specified number of minutes. The only trouble is, if that user's status changes in that time frame (e.g. account locked) then ISE will not take note of it. But it's still a useful feature.</P> Fri, 15 May 2020 00:09:02 GMT Arne Bier 2020-05-15T00:09:02Z https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086025#M560430 <P>Hi Everyone,</P><P>From what I understand, when you integrate your AD to your ISE deployment, the PSN will be the one that make direct connection to the AD. My question here is: does PSN query AD for every new/unique RADIUS session?</P><P>Thanks.</P><P>&nbsp;</P><P>Best regards,</P><P>Yedi</P> Thu, 14 May 2020 17:47:47 GMT https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086025#M560430 YediaelHutahaean 2020-05-14T17:47:47Z https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086038#M560433 <P>Its depend what policy have been set it for ? Unless endpoint not logged into it doesn't query</P><P>&nbsp;</P><P>were you using AD credential login for ISE servers ? or end users and NAD devices ?</P> Thu, 14 May 2020 18:06:00 GMT https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086038#M560433 Shivu b 2020-05-14T18:06:00Z https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086075#M560435 If you use AD probe for profiling then yes. Also, if you use AD<BR />authentication for endpoint dot1x, then yes.<BR /><BR />In both cases ISE will probe AD for every new connection.<BR /><BR />***** please remember to rate useful posts<BR /> Thu, 14 May 2020 19:03:49 GMT https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086075#M560435 Mohammed al Baqari 2020-05-14T19:03:49Z https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086270#M560444 <P>In general yes - that is the case. If you want to limit the connection rates to AD for EAP-PEAP, then you can enable a feature in ISE called Fast-Reconnect - this will cache the last Authentication status of that user for a specified number of minutes. The only trouble is, if that user's status changes in that time frame (e.g. account locked) then ISE will not take note of it. But it's still a useful feature.</P> Fri, 15 May 2020 00:09:02 GMT https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4086270#M560444 Arne Bier 2020-05-15T00:09:02Z https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4087225#M560462 <P>It depends on the configuration of your ISE Authentication Policy.</P> <P>In the example below - which is the ISE default with a rule for VPN added - you can see that MAB will only look to authenticate Internal Endpoints - and never to go AD. VPN, Dot1x and Default will attemtp to try each of the Identity Stores in the All_User_ID_Stores identity store sequence which, assuming you had configured one or more Active Directory stores, would include them. You may configure additional rules and conditions to control which IDentity Stores are used.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/74715iC3A55A33B84B9073/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>You may create your own Identity Store Sequences (with or without AD) here:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/74716i9E34E1A51B593E10/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Sun, 17 May 2020 00:19:45 GMT https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4087225#M560462 thomas 2020-05-17T00:19:45Z https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4104241#M561259 Hi Thomas,<BR />Thanks for your detailed and well-thought answers, it helps me a lot!!<BR /><BR />Cheers,<BR />Yedi Tue, 16 Jun 2020 16:27:28 GMT https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4104241#M561259 YediaelHutahaean 2020-06-16T16:27:28Z https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4104242#M561260 Hi Arne,<BR />Thanks for your confirmation, and especially for the information about "Fast-Reconnect", didn't know about it before this.<BR /><BR />Cheers,<BR />Yedi Tue, 16 Jun 2020 16:29:38 GMT https://community.cisco.com/t5/network-access-control/does-psn-query-ad-for-every-radius-session/m-p/4104242#M561260 YediaelHutahaean 2020-06-16T16:29:38Z