Solved: ISE NTP Time Source

PutmanoAIT · ‎03-27-2018

I have implement Cisco ISE as TACACS server, I configured NTP point to my AD server for time synchronization. Unfortunately ISE always select LOCAL(*127.127.1.0) as a time source. Does we have any configuration to force the ISE to sync time with AD? Thank for your kindly support.

hslai · ‎03-28-2018

It seems to me the main issue is that your AD servers are both of Stratum 16. Clock_strata explains that

... The upper limit for stratum is 15; stratum 16 is used to indicate that a device is unsynchronized. ...

Please check on support documents on Microsoft servers for troubleshooting. For example,

[2018-Mar-29] Looking at it again, I think your AD servers are not responding to NTP requests from ISE, because the column "reach" showing 0. Please troubleshoot that issue first.

View solution in original post

bijin bharathan · ‎03-28-2018

Hi,

Below Technote should help you.

Troubleshoot ISE and NTP Server Synchronization Failures on Microsoft Windows - Cisco

PutmanoAIT · ‎03-28-2018

Hi bbharathan,

How can I get into Cisco ISE root level?

Thanks.

Jason Kunst · ‎03-28-2018

We don’t let you into root level.

I would recommend making sure your NTP source is a good one per the document

Tac can assist in troubleshooting

hslai · ‎03-28-2018

It seems to me the main issue is that your AD servers are both of Stratum 16. Clock_strata explains that

... The upper limit for stratum is 15; stratum 16 is used to indicate that a device is unsynchronized. ...

Please check on support documents on Microsoft servers for troubleshooting. For example,

[2018-Mar-29] Looking at it again, I think your AD servers are not responding to NTP requests from ISE, because the column "reach" showing 0. Please troubleshoot that issue first.