topic Re: ISE Migration To New AD Domain in Network Access Control

ISE Migration To New AD Domain

ChuckMcF — Fri, 26 Jan 2024 20:22:46 GMT

(Names have been changed for anonymity.)

Background: We have been taken over by a new organization and are in the process of migrating domains in a rather complex SDA deployment. The first planned phase is to migrate all users to the new domain and phase two will be to create a new Fabric in that domain (new DNAC & ISE clusters) then migrate the network and connected users during a scheduled outage to that Fabric. SDA is, and will only be, deployed for devices at our subdomain level. We have full control of ISE, DNAC, the previous domain and the new subdomain. The new organization controls the new forest.

Current domain: original.OldDomain.com

New subdomain (what we control): SiteA.main.newdomain.com

New domain (what we do not control): main.newdomain.com

Issue: I have modified our 802.1x policy sets to include AD groups from "original.OldDomain.com" OR "SiteA.main.newdomain.com". When testing user for all join points, I enter a known good user ID and password from SiteA.main.newdomain.com and here are the results:
Resolving identity - <known good user>
Search for matching accounts at join point - original.OldDomain.com
No matching account found in forest - original.OldDomain.com
Search for matching accounts at join point - SiteA.main.newdomain.com
Skipping unavailable forest - main.newdomain.com
Identity resolution detected no matching account
Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE

ISE has been joined to SiteA.main.newdomain.com with a service account that has full permission to AD at that level. ISE is also joined to original.OldDomain.com with a different AD account with appropriate permissions. I am confused why it is "skipping the unavailable forest" since we only want ISE to authenticate to the subdomain. Is it possible to authenticate ONLY to the subdomain or does ISE require a service account at the forest level as well? It is going to be extremely difficult to get the forest owners to give us a service account with that level of access so any way around this would be appreciated.

TIA

ChuckMcF

Re: ISE Migration To New AD Domain

Mark Elsen — Sat, 27 Jan 2024 08:20:15 GMT

- What ISE version is being used ?
- Examine the content of show logging application ad_agent.log
- Check DNS ; make sure that the new AD servers are known by PTR records on the ISE environment (too)

Re: ISE Migration To New AD Domain

ChuckMcF — Mon, 29 Jan 2024 12:53:08 GMT

Apologies - ISE version is 3.2P4. Parsing the log files that you recommended at the moment. Troubleshooting is slower due to working with an outside entity. Will update this thread as it progresses. Currently showing that the "domain marked as offline", which is odd because Admin-->id mgmt-->ext id sources-->AD--><new domain>-->Diagnostic Tools shows all tests as green.

Re: ISE Migration To New AD Domain

ChuckMcF — Mon, 29 Jan 2024 15:34:28 GMT

Found the solution to get ISE to authenticate to the subdomain:

Administration-->Identity Management-->External Identity Sources-->Active Directory-->SiteA.main-->Advanced Settings-->Identity Rewrite--><choose>Apply the Rewrite Rules Below to modify username:
If Identity Matches [IDENTITY] Rewrite as [IDENTITY]@SiteA.main.newdomain.com

We are now able to resolve to the new subdomain that we control.