Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3015
Views
0
Helpful
1
Replies

Cisco ISE RODC

Go to solution
riferdiy
Level 1
Level 1

‎06-08-2017 07:43 PM

Dear Team,

Based on documentation, Active Directory Integration with Cisco ISE 2.0 - Cisco

Cisco ISE 2.x support RODC like in the statement below :

Read-Only Domain Controllers

The following operations are supported on read-only domain controllers:
  •   Kerberos user authentication 
  •   User lookup 
  •   Attribute and group fetch 

But I find in the mailer :

When using RODC, Cisco ISE have limitation such as :

- Join / Leave

- MSCHAP user authentication

- PAP user authentication with MSRPC

- Machine authentication

- User / machine Change password

The question :

When Cisco ISE can't join RODC, how Cisco ISE do "User Lookup" to be used in Cisco ISE policy configuration ??

Is there any official documentation regarding this ??

How the configuration, when customer have RODC but still want to use user/group/password database in RODC for CIsco ISE policy ??

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-08-2017 08:06 PM

To re-iterate the info discussed offline:


ISE needs join to a regular DC first and RODC can then be used as a backup DC for the supported operations. ISE needs join to a regular DC first and RODC can then be used as a backup DC for the supported operations.

If an RODC in the site where ISE is joined to, then ISE might attempt to use during failover and subjected to the limitations.

If an RODC can provide LDAP services, then yes, ISE can use it as an LDAP ID store. Please note that ISE does not support MSCHAPv2 with LDAP so it has similar limitations to those cited for RODC.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-08-2017 08:06 PM

To re-iterate the info discussed offline:


ISE needs join to a regular DC first and RODC can then be used as a backup DC for the supported operations. ISE needs join to a regular DC first and RODC can then be used as a backup DC for the supported operations.

If an RODC in the site where ISE is joined to, then ISE might attempt to use during failover and subjected to the limitations.

If an RODC can provide LDAP services, then yes, ISE can use it as an LDAP ID store. Please note that ISE does not support MSCHAPv2 with LDAP so it has similar limitations to those cited for RODC.

0 Helpful
Customers Also Viewed These Support Documents