ISE AD join question

jthullen · ‎09-21-2012

Hello, we have recently purchased ISE and are in the process of intial configuration. We have joined the applainces to our AD. Now in our firewall rules, we see the ISE applaince sending LDAP (389) traffic to all of our DC's. Is there a way to limit what DC's ISE will query, or does it just pull up a list of DC's from the domain that is joined? If I do an NSLOOKUP on just the domain, I see numerous DC's listed, but ISE is sending to DC's that are outside of this list as well. I am not an AD guy, so forgive me if I do not understand how this is populated, but I am very confused on how ISE is getting the IP's of all the DC's. ANd would really like to restrict if possible, since many of the DC's are behnid firewalls that we did not open up for ISE to talk to, so the traffic is just being denied and filling up our syslog with denies.

Also, is there a show command, CLI or GUI, to show what DC's the ISE applainces knows about?

We are running 1.1.1.268 code.

Thank you all in advance for your help.

Tarik Admani · ‎09-21-2012

Hi,

If you are using sites and services in your DNS environment then ISE should only query the domain controllers that are sent in the dns response for GC and DC resolution requests. You may need to consult your AD and DNS folks in order to insure that the ISE is only given the correct domain controllers.

Thanks,

Tarik Admani
*Please rate helpful posts*

manjeets · ‎05-21-2013

https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf