https://community.cisco.com/t5/network-access-control/ise-isn-t-authenticating-against-the-correct-active-directory/m-p/4455909#M569306 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1171789">@SMD28316</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;you said "<EM>... for users that exist in AD2 only ...</EM>", the <STRONG>AD2</STRONG> data is not being replicated to <STRONG>AD1</STRONG>?</P><P class="lia-align-justify">&nbsp;At <STRONG>Administration &gt; Identity Management &gt; External Identity Sources &gt; Active Directory</STRONG>, your <STRONG>Active Directory Domain</STRONG> is <U>DOMAIN.COM</U>?</P><P class="lia-align-justify">&nbsp;At <STRONG>Administration &gt; Identity Management &gt; External Identity Sources &gt; Active Directory &gt;</STRONG> <EM>select your AD</EM> <STRONG>&gt;</STRONG> select the <STRONG>Advanced Settings</STRONG> tab, double check the <STRONG>Identity Resolution</STRONG> configuration:<BR />. <EM>If Identity Store does not include de AD Domain</EM><BR />. <EM>If some of the Domains are unreachable</EM></P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Hope this helps !!!</P> Fri, 27 Aug 2021 12:47:51 GMT Marcelo Morais 2021-08-27T12:47:51Z https://community.cisco.com/t5/network-access-control/ise-isn-t-authenticating-against-the-correct-active-directory/m-p/4455851#M569303 <P>I have two active directories added to ISE, both have the same domain:</P><P>ad1.domain.com</P><P>ad2.domain.com</P><P>, I added AD2 later, but ISE keeps authenticating against AD1 only, for users that exist in AD2 only, the live logs reports show the identity store as AD1 and the authentication fails as a result.</P><P>&nbsp;</P><P>The authorization role the users hit on uses a condition that includes groups from both the ADs, but only the old one is being selected. I created another authorization role to test the AD, it includes a condition for AD2 only, but ISE skips it and keeps authenticating against the old authorization role that is below the newly configured one.</P><P>&nbsp;</P><P>The user exists in the impacted AD and I have tested it via ISE, both active directories are operational as well. I'm not sure what is the issue, is there a configuration I'm missing? The identity sequence includes the new AD and ALL_AD_JOIN POINTS but the chosen identity store is always AD1.</P><P>&nbsp;</P><P>I'm using certificate authentication profile on the sequence, do I need to edit it after adding the new AD2 or not?</P> Fri, 27 Aug 2021 11:44:33 GMT https://community.cisco.com/t5/network-access-control/ise-isn-t-authenticating-against-the-correct-active-directory/m-p/4455851#M569303 SMD28316 2021-08-27T11:44:33Z https://community.cisco.com/t5/network-access-control/ise-isn-t-authenticating-against-the-correct-active-directory/m-p/4455909#M569306 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1171789">@SMD28316</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;you said "<EM>... for users that exist in AD2 only ...</EM>", the <STRONG>AD2</STRONG> data is not being replicated to <STRONG>AD1</STRONG>?</P><P class="lia-align-justify">&nbsp;At <STRONG>Administration &gt; Identity Management &gt; External Identity Sources &gt; Active Directory</STRONG>, your <STRONG>Active Directory Domain</STRONG> is <U>DOMAIN.COM</U>?</P><P class="lia-align-justify">&nbsp;At <STRONG>Administration &gt; Identity Management &gt; External Identity Sources &gt; Active Directory &gt;</STRONG> <EM>select your AD</EM> <STRONG>&gt;</STRONG> select the <STRONG>Advanced Settings</STRONG> tab, double check the <STRONG>Identity Resolution</STRONG> configuration:<BR />. <EM>If Identity Store does not include de AD Domain</EM><BR />. <EM>If some of the Domains are unreachable</EM></P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Hope this helps !!!</P> Fri, 27 Aug 2021 12:47:51 GMT https://community.cisco.com/t5/network-access-control/ise-isn-t-authenticating-against-the-correct-active-directory/m-p/4455909#M569306 Marcelo Morais 2021-08-27T12:47:51Z