Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1770
Views
10
Helpful
6
Replies

Does PSN query AD for every RADIUS session?

Go to solution
YediaelHutahaean
Level 1
Level 1

‎05-14-2020 10:47 AM

Hi Everyone,

From what I understand, when you integrate your AD to your ISE deployment, the PSN will be the one that make direct connection to the AD. My question here is: does PSN query AD for every new/unique RADIUS session?

Thanks.

 

Best regards,

Yedi

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-16-2020 05:19 PM

It depends on the configuration of your ISE Authentication Policy.

In the example below - which is the ISE default with a rule for VPN added - you can see that MAB will only look to authenticate Internal Endpoints - and never to go AD. VPN, Dot1x and Default will attemtp to try each of the Identity Stores in the All_User_ID_Stores identity store sequence which, assuming you had configured one or more Active Directory stores, would include them. You may configure additional rules and conditions to control which IDentity Stores are used.

image.png

You may create your own Identity Store Sequences (with or without AD) here:

image.png

View solution in original post

6 Replies 6

Go to solution
Shivu b
Level 1
Level 1

‎05-14-2020 11:06 AM

Its depend what policy have been set it for ? Unless endpoint not logged into it doesn't query

 

were you using AD credential login for ISE servers ? or end users and NAD devices ?

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎05-14-2020 12:03 PM

If you use AD probe for profiling then yes. Also, if you use AD
authentication for endpoint dot1x, then yes.

In both cases ISE will probe AD for every new connection.

***** please remember to rate useful posts
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Mohammed al Baqari

‎05-14-2020 05:09 PM

In general yes - that is the case. If you want to limit the connection rates to AD for EAP-PEAP, then you can enable a feature in ISE called Fast-Reconnect - this will cache the last Authentication status of that user for a specified number of minutes. The only trouble is, if that user's status changes in that time frame (e.g. account locked) then ISE will not take note of it. But it's still a useful feature.

Go to solution
YediaelHutahaean
Level 1
Level 1
In response to Arne Bier

‎06-16-2020 09:29 AM

Hi Arne,
Thanks for your confirmation, and especially for the information about "Fast-Reconnect", didn't know about it before this.

Cheers,
Yedi
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-16-2020 05:19 PM

It depends on the configuration of your ISE Authentication Policy.

In the example below - which is the ISE default with a rule for VPN added - you can see that MAB will only look to authenticate Internal Endpoints - and never to go AD. VPN, Dot1x and Default will attemtp to try each of the Identity Stores in the All_User_ID_Stores identity store sequence which, assuming you had configured one or more Active Directory stores, would include them. You may configure additional rules and conditions to control which IDentity Stores are used.

image.png

You may create your own Identity Store Sequences (with or without AD) here:

image.png

Go to solution
YediaelHutahaean
Level 1
Level 1
In response to thomas

‎06-16-2020 09:27 AM

Hi Thomas,
Thanks for your detailed and well-thought answers, it helps me a lot!!

Cheers,
Yedi
0 Helpful
Customers Also Viewed These Support Documents