Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
1
Helpful
2
Replies

ISE: Using AD Join Point w/ Global Catalog Server

Nico Bellack
Level 1
Level 1

‎06-01-2023 08:13 AM

Hello,

I have to connect our ISE to our AD via an AD Join Point, because we need nested group support.

So far I have used the LDAP connector, because I was able to use Port 3268, to send the requests to the GC.

 

Is it possible to address only the GC via the AD Join Point, so that I don't have to connect to the child DCs for subdomains?

Currently, ISE tries to resolve subdomains via DNS and then tries to connect to the child DCs via ldap (389). The thing is, we have a lot of distributed DCs in our environment. It's not scalable for us to ask every DC, due to firewalls and so on. It would be much easier for us if we just used the GC.

0 Helpful
2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

‎06-01-2023 03:16 PM

I'm not sure I understand the issue, so you might need to provide more specifics (a diagram might also help). ISE does query the GC for some information and the DC that the ISE nodes use primarily is controlled by how the Active Directory Sites & Services structure is setup in conjunction with DNS.

More details on how the AD connector works can be found here:
Active Directory Integration with Cisco ISE 2.x 

Nico Bellack
Level 1
Level 1

‎06-02-2023 03:43 AM

Hello Greg,

okay, I try to explain our scenario. But I'm not an AD specialst and I'm not the AD admin. We have a Domain "company.local" with a root-DC/GC Server. and we have Subdomains "abc.company.local", "xyz.company.local" and so on. The subdomains are "hosted" on Child-DCs.

Today we use the LDAP Connector in ISE to connect to the root-DC. We used Port 3268, so that ISE connects to the GC Service of the root-DC Server. I'm able to authenticate users and authorizise them with universal groups in AD. This worked perfekt for us. The benefit was, that we only needed Port 3268 to the root-DC Server.

But now we need to redesign this. We have to use nested groups in AD. nested groups are not supported via the LDAP Connector in ISE.

So, we have to switch to the AD Join Point Connector in ISE. For AD Join Point ISE needs more ports. Okay, we've permitted these ports to the root-DC. The AD Join Point works. ISE learns our Subdomains as "allowed domains". It looks fine. But, when I try to authenticate "user1@abc.company.local" ISE doesn't send the request to the root-DC/GC. ISE tries to send an LDAP Request (port 389) to the Child-DC for "abc.company.local", which was resolved via DNS.

Is there a way to "centralize" this communication to the root-DC/GC? It is not scalable for us, when ISE have to reach all of our child-DCs. We have a lot of DCs in branch office, which are firewall protected.

0 Helpful
Customers Also Viewed These Support Documents