05-14-2020 10:47 AM
Hi Everyone,
From what I understand, when you integrate your AD to your ISE deployment, the PSN will be the one that make direct connection to the AD. My question here is: does PSN query AD for every new/unique RADIUS session?
Thanks.
Best regards,
Yedi
Solved! Go to Solution.
05-16-2020 05:19 PM
It depends on the configuration of your ISE Authentication Policy.
In the example below - which is the ISE default with a rule for VPN added - you can see that MAB will only look to authenticate Internal Endpoints - and never to go AD. VPN, Dot1x and Default will attemtp to try each of the Identity Stores in the All_User_ID_Stores identity store sequence which, assuming you had configured one or more Active Directory stores, would include them. You may configure additional rules and conditions to control which IDentity Stores are used.
You may create your own Identity Store Sequences (with or without AD) here:
05-14-2020 11:06 AM
Its depend what policy have been set it for ? Unless endpoint not logged into it doesn't query
were you using AD credential login for ISE servers ? or end users and NAD devices ?
05-14-2020 12:03 PM
05-14-2020 05:09 PM
In general yes - that is the case. If you want to limit the connection rates to AD for EAP-PEAP, then you can enable a feature in ISE called Fast-Reconnect - this will cache the last Authentication status of that user for a specified number of minutes. The only trouble is, if that user's status changes in that time frame (e.g. account locked) then ISE will not take note of it. But it's still a useful feature.
06-16-2020 09:29 AM
05-16-2020 05:19 PM
It depends on the configuration of your ISE Authentication Policy.
In the example below - which is the ISE default with a rule for VPN added - you can see that MAB will only look to authenticate Internal Endpoints - and never to go AD. VPN, Dot1x and Default will attemtp to try each of the Identity Stores in the All_User_ID_Stores identity store sequence which, assuming you had configured one or more Active Directory stores, would include them. You may configure additional rules and conditions to control which IDentity Stores are used.
You may create your own Identity Store Sequences (with or without AD) here:
06-16-2020 09:27 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide