06-24-2021 09:18 AM
I have 5 external identity stores. I have the domain "x.com" but i want for autentification choose the local server and not the remote server that is in another country, because i see some latency for AD queries for remote server.
I read that I can do this for AD domain using identity Store Sequense, but its for all domain not for especific order od server. How can I do it?
Domain: x.com
Priority that I wish for Active Directory queries authentification on Cisco ISE
1-Local server
2-Remote server
Right now the ISE resolve queries of the following way
1-Remote server
2-Local Server
Solved! Go to Solution.
06-25-2021 02:06 PM
Lets expand your initial statement, for better understanding. You have 2 sites in same country:
Now, I'm not an Microsoft guy, but this is how it is supposed to work, in very simplified way (you may find a nice explanation and setup guide about Sites&Services here
To answer your questions:
BR
Milos
07-08-2021 11:49 AM
Thank you very much Milos for clarifying the topic about PIC.
I got the following information from TAC engineer
Here is the step by step guide on how to point the ISE server to only specific DCs in the AD domain:
Navigate to:
1. External-ID-Stores -> Active Directory -> Advanced Tools -> Advanced Tuning
2.Select the ISE node you want to change
3.The 'Name' field gets the specific REGISTRY string given below:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\<Domain Name>
Example: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\cisco.com
4. The 'Value' field is where you indicate the DC, or list of DCs separated by a space
<The DC's hostname>
Example: dc1.cisco.com dc2.cisco.com
5.Update the value and after that restart the AD connector.
After applying this, Cisco ISE 2.7 makes requests to the local AD servers
I'll leave the post here with the process in case someone else requires it
06-24-2021 09:20 AM
yes its only order you need to shuffle.
06-24-2021 09:33 AM - edited 06-24-2021 09:37 AM
Can I create a rule for dot1x using eap-tls where it is specified that for the domain x.com I use the server x.x.x.12 first and then the server x.x.x.11?
Is there a way that Cisco ISE can make a priority of sequence per server belonging to the domain?
Or that it can be instructed to trust the local server as the first option to perform the queries?
06-24-2021 09:35 AM - edited 06-24-2021 09:36 AM
Can I create a rule for dot1x using eap-tls where it is specified that for the domain x.com I use the server x.x.x.12 first and then the server x.x.x.11?
Is there a way that Cisco ISE can make a priority of sequence per server belonging to the domain?
Or that it can be instructed to trust the local server as the first option to perform the queries?
06-24-2021 12:14 PM
Hi @jeffersonpaez ,
1st., at Administration > Identity Management > External Identity Sources > Active Directory > choose your AD ... check if you are using Sites (take a look at the following post: ISE AD Sites and Services).
Note: if you have a PSN on Country A, then use Site A ... if you have another PSN on Country B, then use Site B.
2nd., at Administration > Identity Management > Identity Source Sequences > choose your "Sequence Name", you are able to set the order at Authentication Search List, for example: 1st Internal Users and 2nd your AD.
Hope this helps !!!
06-25-2021 03:51 AM
ISE is relying heavily on Microsoft Sites&Services concept. How this works basically, is that you create a Site in AD, to which you tie specific subnets, and domain controllers relevant for this. Each time ISE asks for Microsoft Domain Services, AD will check its source IP, and return list of DCs for this subnet. You need to list all subnets in CountryA and all DCs in CountryA, and you should be able to achieve what you're trying to. Please be aware that it might take some time for ISE to become aware of the changes, or you could restart ISE services, to speed things up after configuration of Sites&Services. However, for priorities, I'm not sure if that is doable, you should check this with your AD team.
I have multiple geo-deployments, in which each ISE is communicating to nearest DC.
BR,
Milos
06-25-2021 11:06 AM
Hi, Milos
Thanks for your comment about it
I want explain better the scenari
The deployment is as follows
The location of both are in the same country
Data Center 1
1 PAN
1 MNT
2 PSN
Data Center 2
1 PAN
1 MNT
2 PSN
domain x.com
with local servers
but the remote servers located in another country are the ones of preference for the consultations to the AD
We observe latency because they go to remote servers
What you want is to force ISE to query the local servers.
1.First option that I think is possible
Is it possible to do this using Passive Identity Connector?
We currently use Active mode in the deplyment.
It does not generate having the AD services connector and the Passive Identity Connector coexisting
2. Second option, is it possible to force also at the AD level that the users of the x.com domain take the local Active Directory servers as a priority?
With this, the ISE would detect it automatically?
Note: Actually we have base license
06-25-2021 02:06 PM
Lets expand your initial statement, for better understanding. You have 2 sites in same country:
Now, I'm not an Microsoft guy, but this is how it is supposed to work, in very simplified way (you may find a nice explanation and setup guide about Sites&Services here
To answer your questions:
BR
Milos
06-25-2021 02:48 PM
Hi, Milos
I forgot to explain that both Data center are located in the same segment and location. Data Center 2 is the one that Acts as secondary roles for Data Center 1(PAN and MNT)
PSN always active
With this, it is still the same for PIC that it will not work?
06-25-2021 03:22 PM
It doesn't really matter, as same concept applies. You'll have just one AD Site, which contains subnet which is shared between both datacenters, and you'll have domain controller/controllers which are local.
No, PIC is not designed for this purpose.
BR,
Milos
07-08-2021 11:49 AM
Thank you very much Milos for clarifying the topic about PIC.
I got the following information from TAC engineer
Here is the step by step guide on how to point the ISE server to only specific DCs in the AD domain:
Navigate to:
1. External-ID-Stores -> Active Directory -> Advanced Tools -> Advanced Tuning
2.Select the ISE node you want to change
3.The 'Name' field gets the specific REGISTRY string given below:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\<Domain Name>
Example: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\cisco.com
4. The 'Value' field is where you indicate the DC, or list of DCs separated by a space
<The DC's hostname>
Example: dc1.cisco.com dc2.cisco.com
5.Update the value and after that restart the AD connector.
After applying this, Cisco ISE 2.7 makes requests to the local AD servers
I'll leave the post here with the process in case someone else requires it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide