10-13-2020 07:04 AM
Hi Folks,
I am running a POC with x3 Domains. The hierarchy is; lab.domain - as my parent - and d1.lab.domain and d2.lab.domain as my child domains. If I log in to a workstation on d1 or d2 with a user from the parent domain, I have to use domain\username to log in before the ISE AuthZ policy is hit. If I try to use username@lab.domain the AuthZ policy is ignored.
Is there any way to prevent this behaviour - ideally, I don't want to have to burden a user with having to use FQDNs.
Thanks a lot
10-13-2020 01:40 PM
@Xividar - do you have trust relationships between the parent domain and the two children domains?
When you joined ISE to Active Directory, did you join using the parent domain?
I was under the impression that if you had 2-way trust between all the domains, and, if you joined ISE at the top level domain, then ISE would be able to search without having to qualify the full domain. It might offer the solution.
10-13-2020 02:03 PM - edited 10-13-2020 02:05 PM
Hi Arne,
Yes, the Parent trusts both the Child domains, and both Child domains trust the Parent.
I initially joined my Parent domain to ISE , I then added the Child domains later on - all domains are whitelisted.
Okay, good point. You got my wheels turning. If d1.lab.domain is using NTDS to find it's closest DC, it's always going to be the d1.lab.domain DC, now, within ISE, I didn't import any SID groups from the Parent domain in to d1.lab.domain, so my particular AuthZ rule was no longer hitting that particular AuthZ entry - although I'm not sure why d2.lab.domain and lab.domain were not queried. Anyway... I added the SID group to d1.lab.domain and works without any FQDN
Now I am wondering about your statement "if you joined ISE at the top level domain, then ISE would be able to search" I will try this, and then import the SIDs for d1.lab.domain and d2.lab.domain - I will try that tomorrow though, as it's now getting late.
Thanks for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide