cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
524
Views
10
Helpful
5
Replies
Cisco Employee

Keepalive between ISE and AD?

Is there any keepalive mechanism in ISE to check availability of Active Directory?

Does ISE automatically leave from Active Directory domain and re-join during reboot if it is already joined?
CCO says that we need to re-join manually to a domain after application reset or configuration restore.

How about normal reboot?

 

Thanks in advance!

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: Keepalive between ISE and AD?

After a reboot for either ISE or AD, it will auto join as ISE will probe
ADs to check their availability. If the AD reachability is fluctuating or
unrecoverable, ISE will blacklist it.

For network blacklist, DC stays in blacklist for 10 seconds
For server blacklist, DC stays in blacklist for 5 seconds

5 REPLIES 5
VIP Advisor

Re: Keepalive between ISE and AD?

After a reboot for either ISE or AD, it will auto join as ISE will probe
ADs to check their availability. If the AD reachability is fluctuating or
unrecoverable, ISE will blacklist it.

For network blacklist, DC stays in blacklist for 10 seconds
For server blacklist, DC stays in blacklist for 5 seconds

Cisco Employee

Re: Keepalive between ISE and AD?

Thanks for your comments.

Could you tell me more details?

How and how often ISE test the availability of AD?

(dummy LDAP query every 1 minutes, etc.)

 

Cisco Employee

Re: Keepalive between ISE and AD?

I would recommend you look through Cisco Live content by Chris Murray on the subject.
https://www.ciscolive.com/global/on-demand-library/?search=chris%20murray#/session/14525434149870017MRf
What's new in ISE Active Directory connector - BRKSEC-2132

Cisco Employee

Re: Keepalive between ISE and AD?

The content is no longer available...

Highlighted
VIP Engager

Re: Keepalive between ISE and AD?

The last time the session ran was 2016 Berlin, this is one of the downsides of Cisco Live content, they drop the old yet still relevant sessions. In this case, What's new in ISE Active Directory connector - BRKSEC-2132, only has two left. This link will work for about a year and a half.

https://www.ciscolive.com/global/on-demand-library.html?search=BRKSEC-2132#/session/14525434149870017MRf