cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
602
Views
20
Helpful
2
Replies

PSN loses connection to PAN/MnT

kkvitovs
Cisco Employee
Cisco Employee

According to this discussion "If connection between PAN & PSN breaks, PSN will be having all the old configuration,it won't affect authentication/posturing, Only the new changes in PAN will not get replicated on the PSN." According to BRKSEC-3432 PSN queries AD Directly. In case we have a hybrid/medium OR a large distributed deployments and we have a PSN in a branch office (PAN/MnT are in the main HQ) what will happen if:
1. There is no AD in this branch office and the connection with PAN/MnT is lost? Since we lose the connection to the AD, I don't think that PSN will be able to authenticate the new connections. PSN will just keep the current connections, won't it? 
2. There is AD in the branch office and the connection with PAN/MnT is lost? Since we have a connection with AD, it should keep working and it won't affect authentication/posturing and any other services, correct?

 

 

2 Accepted Solutions

Accepted Solutions

howon
Cisco Employee
Cisco Employee

That is correct, PSN authenticates users directly via AD.

1. If connection between PSN and AD is affected then new users will not be able to authenticate

2. If AD is local to PSN, then authentication still works, however if PAN is not reachable some flows will not work. Please refer to the table in this link below:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

 

View solution in original post

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
1. yes and when existing connections trigger re authentication it will fail.
2. Correct only if your branch AD is RW. If it is RO then it will break as
ISE requires RW AD for authentication. This is a restriction in ISE. Also,
in AD sites and services you need to make sure that this branch is
configured to authenticate with its local AD (using source subnet for
example).


*** Remember to rate useful posts

View solution in original post

2 Replies 2

howon
Cisco Employee
Cisco Employee

That is correct, PSN authenticates users directly via AD.

1. If connection between PSN and AD is affected then new users will not be able to authenticate

2. If AD is local to PSN, then authentication still works, however if PAN is not reachable some flows will not work. Please refer to the table in this link below:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

 

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
1. yes and when existing connections trigger re authentication it will fail.
2. Correct only if your branch AD is RW. If it is RO then it will break as
ISE requires RW AD for authentication. This is a restriction in ISE. Also,
in AD sites and services you need to make sure that this branch is
configured to authenticate with its local AD (using source subnet for
example).


*** Remember to rate useful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers