11-19-2020 03:46 PM
We have two domains as part of our ISE HA node deployment. We are noticing some of our policy nodes cannot authenticate to one of our domains and it has ended up being that it is just one AD server. I know ISE will reach out to the domain and whichever AD server comes back it uses but it seems like this AD server is stuck in some of the policy nodes as they always seem to use it. Some of the other nodes have no problem with authentication and they seem to go to different AD servers. Is there a way to force ISE not to use a specific AD server for authentication? I'm running ISE 2.6.
11-20-2020 12:33 AM
- You may also want to check the problematic AD-server's (auth)-logs. Check if that can provide more insights.
M.
11-22-2020 02:23 PM
When joined to the domain, the ISE nodes choose which Domain Controller to communicate with based upon how your AD Sites are organised. Ideally, you would have the IP subnets that the ISE nodes use configured in your Sites structure and pointing to the closest Domain Controller. The DC that ISE would fallback to in the event that the primary one fails or becomes unresponsive would also be controlled by Active Directory.
Have a look at this high-level write-up on AD Sites & Services.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide