cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5016
Views
3
Helpful
9
Replies
paul
Advocate

ISE with AD One-Way Trusts

I am working on a large install where the company's AD has several one-way and two-way trusts setup in AD.  When I join ISE to their AD domain I can see the two-way trusts show up on the whitelist page.  I can turn off all the two-way trusted domains I don't care about and tell ISE to only search the domain I am joined to.  None of the one-way trusts show up in the list, but when I look at the authentication step records it appears that ISE is checking those domains as well or at least it is making the determination to skip those domain each time because they are one-way trust.

I may be looking at the data wrong, but wanted to know if this is functioning as designed. 

If I could whitelist those domains out it seems like it would stop ISE from even considering those domains on each authentication.

2 ACCEPTED SOLUTIONS

Accepted Solutions
hslai
Cisco Employee

CSCvi99138 opened to track this with the data provided by Arne (ISE 2.3 Patch 2).

Thanks a lot!

View solution in original post

Hi,

 

I am facing the same issue...the only difference is that I am running TACACS service on ISE and trying to authenticate Device access to admin. The device is part of domain 'bank.company.com' and the ISE is part of 'retail.company.com'.

I am (network admin)  part of both the domains. There is only one-way trust between the two domains and the domain 'bank.company.com'  appears as -'Unusable Domain' in ISE.

View solution in original post

9 REPLIES 9
hslai
Cisco Employee

Screen Shot 2018-04-09 at 8.33.21 AM.png

Clicking on "Show Unusable Domains" will show those 1-way trusted domains. Yes, you are correct that this is by design.

Ahh I see that now. Is ISE going through the skip unusable domains logic every time something authenticates? It appears in the step data each time.

I had the same issue.  I only whitelist the Domains I want but ISE is too clever sometimes and tries to connect with domain controllers that I am not even interested in.  And to make matters worse, we have a massive forest with domain controllers that I should/must not try to contact (hence, I don't whitelist them) and ISE tries anyway.  It can't establish a TCP connection and fails miserably all day long.  Filling up logs etc.  I have had to turn the syslog down from INFO to ERROR to stop the  Splunk sales guy from grinning so much

If you have a TAC case open on this, please ask TAC to log a bug.

Otherwise, please email me a copy of some sample logs with such issue.

Thanks.

hslai
Cisco Employee

CSCvi99138 opened to track this with the data provided by Arne (ISE 2.3 Patch 2).

Thanks a lot!

I found those are logged at INFO level:

  1. DCPriorityList::updatePriorityListDC: update score of existing entry,updatePriorityListDC(),lwadvapi/threaded/dc_pri_list.cpp:319
  2. LWNetSrvSelectDCInfoByScore: selected DC name=...
  3. MemDbExportToFileThread: Exporting registry to save file completed....
  4. Skipping forest name discovery for external trust at someDomainName

Are you suggesting not to log any of these or only some specific ones?

I've discussed this with our engineering team so am getting ready to log a bug once the specifics provided.

I recently read ISE requires a two-way trust between the domains. Does it not support the authentication in a domain where a one-way trust exists? Maybe the book I am reading is outdated and changes have been made? I am referring to the ability of the authentication server to query a domain with a one-way trust rather than a two way. Looking at implementing 802.1x which requires authentication into a domain I do not have access. Allowing a one-way trust should fix this but, it doesn't seem to be supported. Anyone have a work around?

 

Book I read requirement

CCNP-Security

SISAS 300-208

Aaron T. Woland

Kevin Redmond

Hi,

 

I am facing the same issue...the only difference is that I am running TACACS service on ISE and trying to authenticate Device access to admin. The device is part of domain 'bank.company.com' and the ISE is part of 'retail.company.com'.

I am (network admin)  part of both the domains. There is only one-way trust between the two domains and the domain 'bank.company.com'  appears as -'Unusable Domain' in ISE.

ffischer
Beginner

Hi,

have a larger ISE Node Deployment with all nodes joined to multiple Domains.

I only have whitelisted some domains, and I'm running 2.4 Patch10 here

Nevertheless I get messages with severity "error" in the AD Connector operation

stating various ISE Nodes cannot connect to DCs of not whitelisted domains.

 

So, I can still observe the issue described in Bug CSCvi99138

although bug description lists 2.4p10 as "solved in".

 

Anyone else here who could confirm that the issue still (or again) persists

in ISE 2.4p10 ?

 

BR

Frank

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube