Issue With One AD Server Authenticating With ISE

dchristmancustbank · ‎11-19-2020

We have two domains as part of our ISE HA node deployment. We are noticing some of our policy nodes cannot authenticate to one of our domains and it has ended up being that it is just one AD server. I know ISE will reach out to the domain and whichever AD server comes back it uses but it seems like this AD server is stuck in some of the policy nodes as they always seem to use it. Some of the other nodes have no problem with authentication and they seem to go to different AD servers. Is there a way to force ISE not to use a specific AD server for authentication? I'm running ISE 2.6.

marce1000 · ‎11-20-2020

- You may also want to check the problematic AD-server's (auth)-logs. Check if that can provide more insights.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Greg Gibbs · ‎11-22-2020

When joined to the domain, the ISE nodes choose which Domain Controller to communicate with based upon how your AD Sites are organised. Ideally, you would have the IP subnets that the ISE nodes use configured in your Sites structure and pointing to the closest Domain Controller. The DC that ISE would fallback to in the event that the primary one fails or becomes unresponsive would also be controlled by Active Directory.

Have a look at this high-level write-up on AD Sites & Services.