Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4280
Views
0
Helpful
5
Replies

ISE 1.3 - Multiple ADs and time zone

Johannes Luther
Level 4
Level 4

‎02-10-2015 07:38 AM - edited ‎03-10-2019 10:26 PM

Hi all,

I have a question regarding time zone settings, AD interaction and ISE PSN.

Assuming the following deployment:

- ISE distributed deployment with 3

- Each PSN is joined to a AD at a specific site (example: one in USA, one in Europe, one in Asia)

 

If the DCs at each site have different clocks (same UTC time source, but different time zone) I'll probably run into issues, right?

Because:

First fact:

Set correct time and timezone. Kerberos needs to be within 5 mins of the DCs you use
 (Source: Cisco Live Breakout BRKSEC-2132)

 

Second fact:

Also, it is important to have all the nodes in a single ISE deployment configured to the same
time zone. If you have ISE nodes located in different geographical locations or time zones, you should
use a global time zone such as UTC on all the ISE nodes.

 (Source: ISE 1.3 admin guide)

 

So the first recommendation is, that the ISE PSN has the same clock as the local DC - on the other hand the time zones in one distributed deployment should be the same on all nodes.

What to do?

 

Big thanks in advance!

Johannes

 

 

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎02-10-2015 11:13 AM

Hmm, interesting dilemma! I know the ISE nodes will definitely have to be on the same timezone but not 100% sure about the Domain Controllers. I do seem to recall that if the time was not correct the ISE nodes lost connectivity to the DCs. However, I am not 100% sure so I would like to see what others have to say about this. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Johannes Luther
Level 4
Level 4
In response to nspasov

‎02-10-2015 11:16 AM

I'm glad that this is no easy one :)

0 Helpful

Johannes Luther
Level 4
Level 4

‎02-23-2015 10:55 PM

Sorry for doing such nasty things like pushing this thread.

Anybody has an idea for my ISE problem? I doubt I'm the first one with this problem.

Or the other way around - how did you guys solve it in your deployments?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Johannes Luther

‎02-25-2015 10:30 PM

I was planning on testing this but have been super busy with work. Did you actually try to implement it and see if you ran into any issues?

Thank you for rating helpful posts!
0 Helpful

Johannes Luther
Level 4
Level 4
In response to nspasov

‎03-05-2015 03:10 AM

Not yet - In my lab environment I'm not having a multi-tier CA (and I'm not very good when it comes to Microsoft Active-Directory stuff :) )

Edit:

I did one very limited test in my testlab. In my testlab I'm having one DC and two ISE appliances.

 

Test1: I removed the AD join of the ISE appliances. The ISEs are configured for CET and I reconfigured the time zone of the DCs to UTC-7:00.

ISE and DC clocks are correct (synced against NTP), but the absolute time is different due to different time zones.

Then I joined the ISEs again - and it worked.

 

Test2: I removed the AD join of the ISE appliances. The ISEs are configured for CET and I configured an incorrect static time to the DCs (some weird time).

ISE join won't work

Error Description: Clock skew detected with active directory server
 
Support Details...
Error Name: LW_ERROR_CLOCK_SKEW
Error Code: 40087

 

Perfect - different time zones are obviously ok...

 

 

0 Helpful
Customers Also Viewed These Support Documents