Solved: Cisco ISE node lost connection to Active Directory after Restore

iran · ‎07-05-2023

Hi,

After performing a restore of configuration Backup in Cisco ISE, I noticed that my main PAN lost connection to AD.
The remaining nodes (PAN secondary, PSNs, and MnTs were ok after the restore).

Is this the expected behavior?

To solve the issue I had to manually insert again the credentials to force an Join of the PAN.

ahollifield · ‎07-05-2023

This is expected in my experience

View solution in original post

Charlie Moreton · ‎07-10-2023

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/Upgrade_Journey/b_ise_upgrade_guide_24_new.pdf

Re-Join ActiveDirectory

If you use Active Directory as your external identity source, and the connection to Active Directory is lost, then you must join all Cisco ISE nodes with Active Directory again. After the joins are complete, perform the external identity source call flows to ensure the connection.

After upgrade, if you log into the Cisco ISE user interface using an Active Directory administrator account, your login fails because Active Directory join is lost during upgrade. You must use the internal administrator account to login to Cisco ISE and join Active Directory with it.

If you enabled certificate-based authentication for administrative access to Cisco ISE, and used Active Directory as your identity source, then you will not be able to launch the ISE login page after upgrade. This is because the join to Active Directory is lost during upgrade. To restore joins to Active Directory, connect to the Cisco ISE CLI, and start the ISE application in safe mode by using the following command:

application start ise safe

After Cisco ISE starts in safe mode, perform the following tasks:

Log in to the Cisco ISE user interface using the internal administrator account.

If you do not remember your password or if your administrator account is locked, see Administrator Access to Cisco ISE in the Administrators Guide for information on how to reset an administrator password.

JoinCiscoISEwithActiveDirectory.

View solution in original post

ahollifield · ‎07-05-2023

This is expected in my experience

iran · ‎07-10-2023

Thank you so much for your reply.

Is there any Cisco documentation that they mentioned it as expected behavior?

Charlie Moreton · ‎07-10-2023

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/Upgrade_Journey/b_ise_upgrade_guide_24_new.pdf

Re-Join ActiveDirectory

If you use Active Directory as your external identity source, and the connection to Active Directory is lost, then you must join all Cisco ISE nodes with Active Directory again. After the joins are complete, perform the external identity source call flows to ensure the connection.

After upgrade, if you log into the Cisco ISE user interface using an Active Directory administrator account, your login fails because Active Directory join is lost during upgrade. You must use the internal administrator account to login to Cisco ISE and join Active Directory with it.

If you enabled certificate-based authentication for administrative access to Cisco ISE, and used Active Directory as your identity source, then you will not be able to launch the ISE login page after upgrade. This is because the join to Active Directory is lost during upgrade. To restore joins to Active Directory, connect to the Cisco ISE CLI, and start the ISE application in safe mode by using the following command:

application start ise safe

After Cisco ISE starts in safe mode, perform the following tasks:

Log in to the Cisco ISE user interface using the internal administrator account.

If you do not remember your password or if your administrator account is locked, see Administrator Access to Cisco ISE in the Administrators Guide for information on how to reset an administrator password.

JoinCiscoISEwithActiveDirectory.