01-26-2024 12:22 PM
(Names have been changed for anonymity.)
Background: We have been taken over by a new organization and are in the process of migrating domains in a rather complex SDA deployment. The first planned phase is to migrate all users to the new domain and phase two will be to create a new Fabric in that domain (new DNAC & ISE clusters) then migrate the network and connected users during a scheduled outage to that Fabric. SDA is, and will only be, deployed for devices at our subdomain level. We have full control of ISE, DNAC, the previous domain and the new subdomain. The new organization controls the new forest.
Current domain: original.OldDomain.com
New subdomain (what we control): SiteA.main.newdomain.com
New domain (what we do not control): main.newdomain.com
Issue: I have modified our 802.1x policy sets to include AD groups from "original.OldDomain.com" OR "SiteA.main.newdomain.com". When testing user for all join points, I enter a known good user ID and password from SiteA.main.newdomain.com and here are the results:
Resolving identity - <known good user>
Search for matching accounts at join point - original.OldDomain.com
No matching account found in forest - original.OldDomain.com
Search for matching accounts at join point - SiteA.main.newdomain.com
Skipping unavailable forest - main.newdomain.com
Identity resolution detected no matching account
Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE
ISE has been joined to SiteA.main.newdomain.com with a service account that has full permission to AD at that level. ISE is also joined to original.OldDomain.com with a different AD account with appropriate permissions. I am confused why it is "skipping the unavailable forest" since we only want ISE to authenticate to the subdomain. Is it possible to authenticate ONLY to the subdomain or does ISE require a service account at the forest level as well? It is going to be extremely difficult to get the forest owners to give us a service account with that level of access so any way around this would be appreciated.
TIA
ChuckMcF
01-27-2024 12:20 AM
- What ISE version is being used ?
- Examine the content of show logging application ad_agent.log
- Check DNS ; make sure that the new AD servers are known by PTR records on the ISE environment (too)
M.
01-29-2024 04:53 AM
Apologies - ISE version is 3.2P4. Parsing the log files that you recommended at the moment. Troubleshooting is slower due to working with an outside entity. Will update this thread as it progresses. Currently showing that the "domain marked as offline", which is odd because Admin-->id mgmt-->ext id sources-->AD--><new domain>-->Diagnostic Tools shows all tests as green.
01-29-2024 07:34 AM
Found the solution to get ISE to authenticate to the subdomain:
Administration-->Identity Management-->External Identity Sources-->Active Directory-->SiteA.main-->Advanced Settings-->Identity Rewrite--><choose>Apply the Rewrite Rules Below to modify username:
If Identity Matches [IDENTITY] Rewrite as [IDENTITY]@SiteA.main.newdomain.com
We are now able to resolve to the new subdomain that we control.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide