Cisco ISE node lost connection to Active Directory after Restore

iran — Wed, 05 Jul 2023 11:50:19 GMT

Hi,

After performing a restore of configuration Backup in Cisco ISE, I noticed that my main PAN lost connection to AD.
The remaining nodes (PAN secondary, PSNs, and MnTs were ok after the restore).

Is this the expected behavior?

To solve the issue I had to manually insert again the credentials to force an Join of the PAN.

Re: Cisco ISE node lost connection to Active Directory after Restore

ahollifield — Wed, 05 Jul 2023 14:02:56 GMT

This is expected in my experience

Re: Cisco ISE node lost connection to Active Directory after Restore

iran — Mon, 10 Jul 2023 14:34:22 GMT

Thank you so much for your reply.

Is there any Cisco documentation that they mentioned it as expected behavior?

Re: Cisco ISE node lost connection to Active Directory after Restore

Charlie Moreton — Mon, 10 Jul 2023 17:54:27 GMT

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/Upgrade_Journey/b_ise_upgrade_guide_24_new.pdf

Re-Join ActiveDirectory

If you use Active Directory as your external identity source, and the connection to Active Directory is lost, then you must join all Cisco ISE nodes with Active Directory again. After the joins are complete, perform the external identity source call flows to ensure the connection.

After upgrade, if you log into the Cisco ISE user interface using an Active Directory administrator account, your login fails because Active Directory join is lost during upgrade. You must use the internal administrator account to login to Cisco ISE and join Active Directory with it.

If you enabled certificate-based authentication for administrative access to Cisco ISE, and used Active Directory as your identity source, then you will not be able to launch the ISE login page after upgrade. This is because the join to Active Directory is lost during upgrade. To restore joins to Active Directory, connect to the Cisco ISE CLI, and start the ISE application in safe mode by using the following command:

application start ise safe

After Cisco ISE starts in safe mode, perform the following tasks:

Log in to the Cisco ISE user interface using the internal administrator account.

If you do not remember your password or if your administrator account is locked, see Administrator Access to Cisco ISE in the Administrators Guide for information on how to reset an administrator password.

JoinCiscoISEwithActiveDirectory.

topic Re: Cisco ISE node lost connection to Active Directory after Restore in Network Access Control

Cisco ISE node lost connection to Active Directory after Restore

Re: Cisco ISE node lost connection to Active Directory after Restore

Re: Cisco ISE node lost connection to Active Directory after Restore

Re: Cisco ISE node lost connection to Active Directory after Restore