Solved: Re: ISE LDAP Communication to Secondary AD

Rob4 · ‎07-25-2019

Hi All,

I have a customer that connects their ISE deployment to their main Active Directory Domain. They are seeing traffic from a PSN to a secondary Active Directory domain that has a one-way trust with the main Active Directory domain.

Is there any reason there would be traffic to the secondary domain if its not specified in the config? The secondary domain is not listed in the secondary domains for the ISE deployment.

Appreciate any guidance.

Thanks,

Rob

hslai · ‎07-26-2019

Such traffic is for AD domain and forest discovery.

View solution in original post

Rob4 · ‎07-26-2019

Thanks for the reply. So, if there was no trusting between the two domains, would we see that discovery still?

Thanks,

Rob

View solution in original post

hslai · ‎07-26-2019

Such traffic is for AD domain and forest discovery.

Rob4 · ‎07-26-2019

Thanks for the reply. So, if there was no trusting between the two domains, would we see that discovery still?

Thanks,

Rob

hslai · ‎07-27-2019

Yes.

Rob4 · ‎07-29-2019

Thanks for the assistance. Do we have any documentation to show this behavior? The customer will need to provide some info to other team members.

Thanks,

Rob

Nidhi · ‎07-29-2019

I suggest going through Cisco Live session - BRKSEC-2132 which has information about discovery !

Thanks,

Nidhi

Rob4 · ‎07-30-2019

Thanks so much for the info!

ISE LDAP Communication to Secondary AD

ISEを用いたAD連携による、ASAでのVPN認証（Cisco Secure Client）の設定方法について

CMS - AD LDAP 署名とチャネルバインディング有効化による影響

ISEを用いたAD連携による、ASAでの L2TP over IPsec (IKEv1) の設定方法について

ISE Sponsor & My Devices Authorization on Secondary Attributes (LDAP)

Doc - Implementación y Configuración de Cisco ISE