Solved: Re: How to choose the priority for a specific AD server to be the primary for authentication in Cisc...

jeffersonpaez · ‎06-24-2021

I have 5 external identity stores. I have the domain "x.com" but i want for autentification choose the local server and not the remote server that is in another country, because i see some latency for AD queries for remote server.
I read that I can do this for AD domain using identity Store Sequense, but its for all domain not for especific order od server. How can I do it?

Domain: x.com

Priority that I wish for Active Directory queries authentification on Cisco ISE
1-Local server
2-Remote server

Right now the ISE resolve queries of the following way
1-Remote server
2-Local Server

Milos_Jovanovic · ‎06-25-2021

Lets expand your initial statement, for better understanding. You have 2 sites in same country:

You have a domain x.com
Site 1 / Datacenter 1
- 1 PAN
  1 MNT
  2 PSNs
- Subnets relevant to these servers, e.g. 192.168.0.0/16
- Domain controllers in this site, e.g. AD DC #1 and #2
Site 2 / Datacenter 2
- 1 PAN
- 1 MNT
- 2 PSNs
- Subnets relevant to these servers, e.g. 172.16.0.0/12
- Domain controllers in this site, e.g. AD DC #3 and #4
You have domain controllers in another country, e.g. AD DC #10-15

Now, I'm not an Microsoft guy, but this is how it is supposed to work, in very simplified way (you may find a nice explanation and setup guide about Sites&Services here

When ISE is trying to resolve your domain x.com, it asks configured DNS servers about it
Since this is not standard DNS query, it doesn't simply return FQDN-to-IP mapping
It has to put some brain to resolving this one, and it figures out, based on ISE IP address, that this particular node belongs to AD Site 1
In AD, you already configured Site 1 and Site 2, to which you tied respective subnets and domain controllers (e.g. Site 1 uses subnet 192.168.0.0/16 and DC#1 and #2)
Based on this information, your ISE server from Site 1 (which has IP from subnet 192.168.0.0/16) now knows that it should talk to DC#1 or #2
Same goes for ISE for Site 2
Neither of ISE servers will talk to DC #10-15, which are located elsewhere, because they are not defined in Site 1 or 2, which would solve your latency issues

To answer your questions:

No, Passive Identity Connector (PIC) is not meant for this use case. PIC was meant to collect user-to-IP mappings (or identities) from various sources (e.g. syslog, Windows AD logs or ISE native logs in which ISE has information based on authentication process), and to share that contextual data to other interested entities, over pxGrid.
Yes. Explanation I gave earlier about Sites&Services is designed to control which ISE servers talk to which domain controllers. And yes, ISE would detect this change automatically. It might not happen immediately when you configure it on AD, but it will become aware eventually (once you configure it on AD, and replication gets done, you can force it by restarting ISE services).

BR

Milos

View solution in original post

jeffersonpaez · ‎07-08-2021

Thank you very much Milos for clarifying the topic about PIC.

I got the following information from TAC engineer

Here is the step by step guide on how to point the ISE server to only specific DCs in the AD domain:
Navigate to:
1. External-ID-Stores -> Active Directory -> Advanced Tools -> Advanced Tuning
2.Select the ISE node you want to change
3.The 'Name' field gets the specific REGISTRY string given below:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\<Domain Name>
Example: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\cisco.com
4. The 'Value' field is where you indicate the DC, or list of DCs separated by a space
<The DC's hostname>
Example: dc1.cisco.com dc2.cisco.com
5.Update the value and after that restart the AD connector.

After applying this, Cisco ISE 2.7 makes requests to the local AD servers

I'll leave the post here with the process in case someone else requires it

View solution in original post

balaji.bandi · ‎06-24-2021

yes its only order you need to shuffle.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jeffersonpaez · ‎06-24-2021

Can I create a rule for dot1x using eap-tls where it is specified that for the domain x.com I use the server x.x.x.12 first and then the server x.x.x.11?

Is there a way that Cisco ISE can make a priority of sequence per server belonging to the domain?

Or that it can be instructed to trust the local server as the first option to perform the queries?

jeffersonpaez · ‎06-24-2021

Can I create a rule for dot1x using eap-tls where it is specified that for the domain x.com I use the server x.x.x.12 first and then the server x.x.x.11?

Is there a way that Cisco ISE can make a priority of sequence per server belonging to the domain?

Or that it can be instructed to trust the local server as the first option to perform the queries?

Marcelo Morais · ‎06-24-2021

Hi @jeffersonpaez ,

1st., at Administration > Identity Management > External Identity Sources > Active Directory > choose your AD ... check if you are using Sites (take a look at the following post: ISE AD Sites and Services).

Note: if you have a PSN on Country A, then use Site A ... if you have another PSN on Country B, then use Site B.

2nd., at Administration > Identity Management > Identity Source Sequences > choose your "Sequence Name", you are able to set the order at Authentication Search List, for example: 1st Internal Users and 2nd your AD.

Hope this helps !!!

Milos_Jovanovic · ‎06-25-2021

ISE is relying heavily on Microsoft Sites&Services concept. How this works basically, is that you create a Site in AD, to which you tie specific subnets, and domain controllers relevant for this. Each time ISE asks for Microsoft Domain Services, AD will check its source IP, and return list of DCs for this subnet. You need to list all subnets in CountryA and all DCs in CountryA, and you should be able to achieve what you're trying to. Please be aware that it might take some time for ISE to become aware of the changes, or you could restart ISE services, to speed things up after configuration of Sites&Services. However, for priorities, I'm not sure if that is doable, you should check this with your AD team.

I have multiple geo-deployments, in which each ISE is communicating to nearest DC.

BR,

Milos

jeffersonpaez · ‎06-25-2021

Hi, Milos

Thanks for your comment about it

I want explain better the scenari

The deployment is as follows
The location of both are in the same country
Data Center 1
1 PAN
1 MNT
2 PSN
Data Center 2
1 PAN
1 MNT
2 PSN

domain x.com
with local servers
but the remote servers located in another country are the ones of preference for the consultations to the AD

We observe latency because they go to remote servers

What you want is to force ISE to query the local servers.

1.First option that I think is possible
Is it possible to do this using Passive Identity Connector?

We currently use Active mode in the deplyment.

It does not generate having the AD services connector and the Passive Identity Connector coexisting

2. Second option, is it possible to force also at the AD level that the users of the x.com domain take the local Active Directory servers as a priority?
With this, the ISE would detect it automatically?

Note: Actually we have base license

Milos_Jovanovic · ‎06-25-2021

Lets expand your initial statement, for better understanding. You have 2 sites in same country:

You have a domain x.com
Site 1 / Datacenter 1
- 1 PAN
  1 MNT
  2 PSNs
- Subnets relevant to these servers, e.g. 192.168.0.0/16
- Domain controllers in this site, e.g. AD DC #1 and #2
Site 2 / Datacenter 2
- 1 PAN
- 1 MNT
- 2 PSNs
- Subnets relevant to these servers, e.g. 172.16.0.0/12
- Domain controllers in this site, e.g. AD DC #3 and #4
You have domain controllers in another country, e.g. AD DC #10-15

Now, I'm not an Microsoft guy, but this is how it is supposed to work, in very simplified way (you may find a nice explanation and setup guide about Sites&Services here

When ISE is trying to resolve your domain x.com, it asks configured DNS servers about it
Since this is not standard DNS query, it doesn't simply return FQDN-to-IP mapping
It has to put some brain to resolving this one, and it figures out, based on ISE IP address, that this particular node belongs to AD Site 1
In AD, you already configured Site 1 and Site 2, to which you tied respective subnets and domain controllers (e.g. Site 1 uses subnet 192.168.0.0/16 and DC#1 and #2)
Based on this information, your ISE server from Site 1 (which has IP from subnet 192.168.0.0/16) now knows that it should talk to DC#1 or #2
Same goes for ISE for Site 2
Neither of ISE servers will talk to DC #10-15, which are located elsewhere, because they are not defined in Site 1 or 2, which would solve your latency issues

To answer your questions:

No, Passive Identity Connector (PIC) is not meant for this use case. PIC was meant to collect user-to-IP mappings (or identities) from various sources (e.g. syslog, Windows AD logs or ISE native logs in which ISE has information based on authentication process), and to share that contextual data to other interested entities, over pxGrid.
Yes. Explanation I gave earlier about Sites&Services is designed to control which ISE servers talk to which domain controllers. And yes, ISE would detect this change automatically. It might not happen immediately when you configure it on AD, but it will become aware eventually (once you configure it on AD, and replication gets done, you can force it by restarting ISE services).

BR

Milos

jeffersonpaez · ‎06-25-2021

Hi, Milos

I forgot to explain that both Data center are located in the same segment and location. Data Center 2 is the one that Acts as secondary roles for Data Center 1(PAN and MNT)

PSN always active

With this, it is still the same for PIC that it will not work?

Milos_Jovanovic · ‎06-25-2021

It doesn't really matter, as same concept applies. You'll have just one AD Site, which contains subnet which is shared between both datacenters, and you'll have domain controller/controllers which are local.

No, PIC is not designed for this purpose.

BR,

Milos

jeffersonpaez · ‎07-08-2021

Thank you very much Milos for clarifying the topic about PIC.

I got the following information from TAC engineer

Here is the step by step guide on how to point the ISE server to only specific DCs in the AD domain:
Navigate to:
1. External-ID-Stores -> Active Directory -> Advanced Tools -> Advanced Tuning
2.Select the ISE node you want to change
3.The 'Name' field gets the specific REGISTRY string given below:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\<Domain Name>
Example: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\cisco.com
4. The 'Value' field is where you indicate the DC, or list of DCs separated by a space
<The DC's hostname>
Example: dc1.cisco.com dc2.cisco.com
5.Update the value and after that restart the AD connector.

After applying this, Cisco ISE 2.7 makes requests to the local AD servers

I'll leave the post here with the process in case someone else requires it

How to choose the priority for a specific AD server to be the primary for authentication in Cisco ISE