cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2187
Views
3
Helpful
9
Replies

ISE Distributed Deployment

bikespace
Level 1
Level 1

Hi All,

Deploying multiple PSN's with a  distributed deployment, do all the PSN's have to be in the same domain? I  have 8 set up in one domain, and would like to run a few more through  firewalls and using a different dns domain.

Also interested to see  how AD integration works with this. I'd still expect to join the nodes  to the common AD domain. Would they be able to join an AD domain which  isn't linked with their FQDN?

I'm hoping that running the other policy nodes on an external domain, I can use a standard CSR for the external public certs.

All comments, suggestions, spoliers welcomed! Question is out to Cisco but I know the value of these forums too.

9 Replies 9

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

You will have to join all ISE nodes to the same AD domain since the policy for user enforcement (for any external conditions) is configured at the Primary Admin node and replicated down to the PSNs. However, if you choose to configure a different dns domain for one PSN and then join it to the command AD domain, the only issue I see with this is SAMAccount name being sent in the username and not the UPN.

If a user requests authentication with johndoe and your AD domain is abc.com but your dns domain is def.com, then ISE will try to authenticate johndoe@def.com (from my experience), there have been some improvements where ISE should be able to note that this is an authentication request and should suffix the request with johndoe@abc.com but I am not 100 percent sure.

If you have a cisco account rep (with your deployment size I am absolute sure you do) have them ping the BU on this issue and see what the official response is.

Thanks,

Tarik Admani
*Please rate helpful posts*

Yep, I'm joining all nodes to the same AD domain (although on a slightly different note I did wonder what the interaction of each node type is with AD if it's all replicated between, but I guess all of them need to talk to AD individually. I haven't found anything that says the admin node ever talks directly with AD. I have a protocol/port diagram which shows just the PSN's talking with AD. Be interesting to find out what interaction each node type has with AD).

I'll have to watch out for the issue you mention with sending the wrong domain. Hopefully it's been sorted.

As long as I can join a PSN that sits in a different DNS domain to the existing setup then we should  hopefully be able to overcome the other problems.

Thanks for your reply.

B

Hi,

The admin node only talks to AD for policy definition, so if you join AD and then decide to add an Active Directory group to a condition then that is what the communication is mostly for.

For the most part the PSN will perform the authentication locally based on the configuration assigned from the Admin node. Now you have a case with the MNT nodes, I really do not know if that needs to talk to AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

In summary, I have 6 nodes, 2 admins, 2 monitor and 2 PSN. I'm now adding another 2 PSN's behind a firewall, on a different DNS domain. All nodes are resolvable from all other nodes. While building the PSN's the ping gateway failed as customer firewall will not allow icmp reply. However NTP said it failed too, although we know firewall wasn't dropping it. I carried on anyway, and the node built. When I logged in I confirmed that NTP had indeed connected (so I have no idea why it didn't even try earlier - we checked on firewall logs, no attempt made).

All looked OK, until adding the new PSN's to the distributed deployment. All I've done with certificates is exported the self signed cert from the new nodes and imported to the admin node. I then registered the new nodes as PSN's and it showed as registered. From that point on though the PSN's are showing ISE NODE-NOT-REACHABLE even though there is absolutely nothing dropped on the firewall. Logging in to the GUI of the PSN, the node is still in Standalone mode.

Any idea's?

Are you natting the traffic from the firewall or is there an mpls circuit or a site to site vpn configured where the ip is the real ip and not translated?

Thanks,

Tarik Admani
*Please rate helpful posts*

No NAT involved, just passing through Checkpoint firewall to a VLAN on same site.

Tarik Admani
VIP Alumni
VIP Alumni

Are you blocking any ports? Also is the return traffic from the psn able to resolve the admin node fqdn?

Sent from Cisco Technical Support Android App

bikespace
Level 1
Level 1

CSCua55485 split domain does not work.

We tested a workaround this week which was successful.

Basically ISE doesn't use the FQDN for part of the process.

The workaround is to add the host name to local DNS domain as well as the remote one, so for instance if ise1.domaina.com resolves to 1.1.1.1, then add ise1.domainb.com pointing to 1.1.1.1 also.

Bit messy, but it works.

Workaround has been updated in the bug I believe.

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: