Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4513
Views
10
Helpful
5
Replies

Removal of Domain from the ISE

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎08-21-2020 04:28 AM - edited ‎08-21-2020 06:41 AM

Hi Experts,

 

We've an Multi-domain AD integration with the ISE (2.6) and both the domains are manually added to ISE. We're able to 'see' the other domain groups in the whitelisted domains (believe 'trust' is being established between the two) and now, one of the domain is no longer required and needs to be removed.

 

Can someone please suggest the best practice to remove the domain which are no longer required or provide any check-list to be performed, so inadvertently we don't delete any other groups from the domain (which is required) and further called in the Authentication/AuthZ policies.

 

Thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Srinivasan Nagarajan

‎08-23-2020 07:05 PM

ISE does provide some pointers to where the domain is referenced when trying to delete it, but it can only provide a single linkage for the error. 

Example:

Screen Shot 2020-08-24 at 9.27.58 am.png

 

You would still need to manually go through the configuration and remove the items that reference that domain, preferably in the reverse order that they were originally configured. The list below would be a good start. If you find that something is missing as you go through this activity in your environment, please feel free to post an update to benefit others that need to do the same.

  1. Authorisation and Authentication policies (RADIUS & TACACS)
  2. Identity Source Sequences and Certificate Authentication Profiles
  3. Library Conditions
  4. Sponsor Groups
  5. Any match conditions in Posture or Client Provisioning Policies
  6. Admin Access (Admin Groups mapped to External Groups; Authentication mapped to External ID Source)

All the above being said, I tried the same with my ISE 2.7 p2 VM and found that I still get a generic error when trying to delete the AD join point.

I suspect there is some link that is not cleanly removing. If you see the same, you will need to open a TAC case to have the references removed from the Oracle DB using root access.

View solution in original post

5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-21-2020 11:59 PM

Take an ISE configuration backup first. Then, remove any authorization rules, sponsor groups, or admin groups referencing them.

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to hslai

‎08-22-2020 12:17 AM - edited ‎08-22-2020 10:03 AM

Hi @hslai 

 

Thanks for the reply :)

 

I believe when deleting the AD domain, if it's called anywhere in the policies, ISE will be throwing an error implying it's being used but not mentioning 'where' it's being used.

 

Does it leaves us with an only option by manually looking into the 'complete' configuration right from checking the MAB, 802.1X, admin groups to all the Identity source sequences and the certificate profiles...?

 

As I mentioned, two different domains are added separately into the ISE with an 'Trust' being established. what are the points to be considered on the AD end as well before deleting it...?

 

Could you please share any document being suggested by the Cisco as I'm not able to find any.

 

Thank you in advance

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Srinivasan Nagarajan

‎08-23-2020 07:05 PM

ISE does provide some pointers to where the domain is referenced when trying to delete it, but it can only provide a single linkage for the error. 

Example:

Screen Shot 2020-08-24 at 9.27.58 am.png

 

You would still need to manually go through the configuration and remove the items that reference that domain, preferably in the reverse order that they were originally configured. The list below would be a good start. If you find that something is missing as you go through this activity in your environment, please feel free to post an update to benefit others that need to do the same.

  1. Authorisation and Authentication policies (RADIUS & TACACS)
  2. Identity Source Sequences and Certificate Authentication Profiles
  3. Library Conditions
  4. Sponsor Groups
  5. Any match conditions in Posture or Client Provisioning Policies
  6. Admin Access (Admin Groups mapped to External Groups; Authentication mapped to External ID Source)

All the above being said, I tried the same with my ISE 2.7 p2 VM and found that I still get a generic error when trying to delete the AD join point.

I suspect there is some link that is not cleanly removing. If you see the same, you will need to open a TAC case to have the references removed from the Oracle DB using root access.

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Greg Gibbs

‎08-24-2020 03:51 AM - edited ‎08-24-2020 06:32 AM

Hi @Greg Gibbs 

 

Thanks for the reply. 

 

We've two different domains which are being integrated separately into the ISE but able to 'see' the each other groups (believe 'trust' is established). Please excuse my lack of skills on the AD end. 

 

1.Is there any configuration which needs to be checked or actioned from the AD end as well...?

2. Modifying the Oracle DB @ Root level, does it require any reboot or restart of ISE services...?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Srinivasan Nagarajan

‎08-24-2020 03:08 PM

1. Is there any configuration which needs to be checked or actioned from the AD end as well...?
I'm no AD expert, so this is more of a question for a MS forum. Try the following link for a start.
https://www.serverbrain.org/maintaining-2000-2003/removing-a-trust.html

2. Modifying the Oracle DB @ Root level, does it require any reboot or restart of ISE services...?

I don't believe it requires a restart, but TAC would need to confirm that. You still would want to take a Config backup and schedule this activity for a maintenance window.

0 Helpful
Customers Also Viewed These Support Documents