Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1991
Views
1
Helpful
4
Replies

ISE connections to DC's in a AD multidomain forest

mverbon
Level 1
Level 1

‎02-26-2018 01:30 PM

Hi all,

I have some questions about Active Directory with multidomain forest, connections from ISE to the DC's in the different Domains.

We are using an Active Directory with multidomain forests. Hopefully someone can help me with my questions.


All DC's are also DNS Server. DNS Forward lookup and reverse lookup zones are in place, DNS is working fine, everything is resolvable.
The ISE machines are joined in the child1.domain.local.


However the Authentication / Authoriation is taking place in the child2.domain.local. In this domain all objects are located.
Normally ISE could / should join directly into the child2 domain, but in this design this is not possible because the management of the different AD Domains is seperated.

Cisco ISE supports Active Directory with multidomain forests.
Within the forest, Cisco ISE connects to a single domain (in this case child1), but can access resources from the other domains (in this case child2) in the Active Directory forest if trust relationships are established between the domain to which Cisco ISE is connected and the other domains. ll is working fine.


For this to work properly, the ISE machines seemed be able to connect to all DC's in the Forest; parent and child domains.

Question 1: why is it necessary for ISE to connect to the DC's in parent domain? We had to allow this traffic to pass the Firewall between the 2 domains for Authention to work for objects in the child2 domain.

So all firewalls are properly configured tot allow for this.
However when a parent DC is taken off line and / or a Child2 DC is taking off line, there seems to be a disruption in the Authentication / Authoriation.


It looks like there is no active failover to the remaining DC's in de parent and / or in child2.

Question 2: is it possible to see in ISE what connections are being used to the Domain Controllers in the parent and child2 domains?

I used the reports fuctions AD connector reports. But this not very conclusive on what connections are being used to what DC's in the child and parent domains.

Question 3: Is there extra information in perspective to ISE on how this is working in regard to all the necessary connections from the ISE machines to the DC's in the Domain's?

Thanks in advance,

Martin

Preview file
50 KB
0 Helpful
4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎02-27-2018 07:00 PM

In general, ISE AD runtime contacts the global catalog (GC) server(s) and the domain controllers for authentications and attribute retrievals. You may turn DEBUG on Active Directory and check on ad_agent.log files, either from ISE admin CLI, or downloaded from ISE admin web UI, or as part of support bundles.

If you have not reviewed it before, take a look at BRKSEC-2132 from On-Demand Library - Cisco Live Global Events

mverbon
Level 1
Level 1
In response to hslai

‎02-28-2018 01:36 AM

Hi,

Thanks for the reply. Yes, I have reviewed this presentation and it does not answer my questions regarding the connections to the parent in a Multi domain forest environment. The join point is child1 domain, the child2 domain is used for Authentication and is whitelisted. But when the firewallrules are changed to block the connections between ISE and the Parent domain, authentication is not working in the child2 domain. So, this is really necessary and permitted in the Firewall to get it to work. I am wondering why. There is a statement in the presentation:

By default ISE will discover all trusted domains from each join point, page 91. So I can imagine this is causing the connections to the parent? But why!

I also reviewed session BRKSEC-3697, in this presentation the whole proces about the AD Domain Controller Selection.

This is very helpfull on how best to join an AD environment, but there is not a lot information regarding the scenario I use.

Regarding the debug options, I will discuss this to enable this for a particular amount of time. It is prodcution!!

We also have to disable some DC's in the parent domain to see if Failover is working correctly. At this moment there are signs it is not working correctly.

So, I will continue to investigate this.

Thanks and best regards,

Martin

0 Helpful

mverbon
Level 1
Level 1
In response to mverbon

‎02-28-2018 06:45 AM

H all,

I am setting up the debugging, first in my own test environment with the 6 DC's in de different domains as the drawing shows

For now debug is on for Active Directory and identity-store-ad. hat I want to see, are all the LDAP connections between ISE and the DC's.

On the CLI I did a show logging application ise-psc.log tail and a show logging application ad_agent.log tail and let it run for quite some time. But there is no usable logging for LDAP connections to the DC's.

Anyone ideas on how to get this information from ISE?

Thx and best regards,

Martin

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to mverbon

‎03-04-2018 04:47 PM

If you are using ISE AD connector to your AD, then ad_agent.log is the main file of interest and you should see the LDAP queries made in the log files. If using ISE LDAP connector, you may take a look at prrt-server.log.

0 Helpful
Customers Also Viewed These Support Documents