ISE isn't authenticating against the correct active directory

SMD28316 · ‎08-27-2021

I have two active directories added to ISE, both have the same domain:

ad1.domain.com

ad2.domain.com

, I added AD2 later, but ISE keeps authenticating against AD1 only, for users that exist in AD2 only, the live logs reports show the identity store as AD1 and the authentication fails as a result.

The authorization role the users hit on uses a condition that includes groups from both the ADs, but only the old one is being selected. I created another authorization role to test the AD, it includes a condition for AD2 only, but ISE skips it and keeps authenticating against the old authorization role that is below the newly configured one.

The user exists in the impacted AD and I have tested it via ISE, both active directories are operational as well. I'm not sure what is the issue, is there a configuration I'm missing? The identity sequence includes the new AD and ALL_AD_JOIN POINTS but the chosen identity store is always AD1.

I'm using certificate authentication profile on the sequence, do I need to edit it after adding the new AD2 or not?

Marcelo Morais · ‎08-27-2021

Hi @SMD28316 ,

you said "... for users that exist in AD2 only ...", the AD2 data is not being replicated to AD1?

At Administration > Identity Management > External Identity Sources > Active Directory, your Active Directory Domain is DOMAIN.COM?

At Administration > Identity Management > External Identity Sources > Active Directory > select your AD > select the Advanced Settings tab, double check the Identity Resolution configuration:
. If Identity Store does not include de AD Domain
. If some of the Domains are unreachable

Hope this helps !!!