Solved: Re: Distributed ISE AD Connection

Christian Overrein · ‎04-18-2017

I have a distributed ISE solution implementet.

Se attachement ISE-Deployment.

The ISE nodes are jointed to respective Active Directory as in the picture.

I get alarm on all ISE nodes that are not joined in AD that "Active Directory not joined". Se attachement ISE_Alarm.

All radius athentications working great in all domains.

One of the challanges is external identity mapping medn retriving groups from AD. It says that the Primary Administrations Node need to be a member for the domain.

- I have tested to join the domain with Primary Admin node, do the group mapping and then leave the domain. That works great. If the admin nodes is member of all domains the PSN and MNT generate alarms. Same alarm as the attachement.

The configuration for External Identity Sources looks like this:

Active Directory

Initial_Scope

Domain-1

Domain-2

Domain-3

I have also tried with scope for each domain.

Do anyone have som ideas here?

Thanx for any answers and help.

hslai · ‎04-18-2017

If on ISE 2.2, this alarm is added as the fix for CSCvb46425. If any alarm alerting it incorrectly, please engage Cisco TAC.

View solution in original post

hslai · ‎04-18-2017

If on ISE 2.2, this alarm is added as the fix for CSCvb46425. If any alarm alerting it incorrectly, please engage Cisco TAC.

Christian Overrein · ‎04-19-2017

Hi.

Do you have any link for the fix CSCvb46425. I cannot find any information about that fix.

Regards,

Christian

thomas · ‎04-19-2017

Please see Bug Status & Notifications