04-25-2023 06:53 AM
We have ISE 2.6 in our environment and are testing some stuff with AD connection.
Is there a way to connect to a specific AD Domain controller?
TIA
Shubham
04-25-2023 07:52 AM
You can leverage the feature of Whitelisted Domains in Active Directory page of ISE.
04-25-2023 08:28 AM
If I understand your question correctly. AD Sites and Services is what you are looking for.https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2503911.html
04-25-2023 09:01 AM
I think so too. I read somewhere that using AD Sites and services can be helpful. But that's it, no more details on how can we leverage that to force ISE/PSN to connect to a specific Domain Controller.
04-25-2023 03:52 PM
See a similar discussion here:
https://community.cisco.com/t5/network-access-control/ise-ad-sites-and-services/td-p/3335406
ISE joins the domain as a computer account, so it leverages standard AD functions for determining which Domain Controller(s) it should communicate with and in which order. With properly configured AD Sites and the IP/subnet of the ISE node(s) mapped to the correct Site in AD, the ISE nodes will automatically communicate with the DC associated with that Site.
You can read more about AD Sites here:
https://www.windows-active-directory.com/active-directory-sites.html
04-26-2023 08:16 AM
Agree with Greg. Use the AD Sites and Services. However, If there is very specific requirement to connect to specific DC in a domain, then open a TAC case. TAC may help with Advanced Tuning of Active Directory Connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide