Dear Community Support!

We have a customer with a big, distributed ISE 2.2 (with patch4) system that is integrated to an Active Directory domain consisting of two AD forests, that has two-way trust. ISE is configured to authenticate from only one of that (as shown in ad-settings.png)

Is there any way to enforce an ISE 2.2 system not to contact the DCs (number of them is above 30) of the other Forest (non-authentication domain)?

All the ISE nodes are periodically trying to contact the DCs of the other Forest via LDAP, that could be seen from the reports (see ad-connector-report.png ) as well.

As I read the https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html document I do not see any details about that, only that the other non-authentication domain will not be checked for authentication and authorization.

Authentication Domains

When Cisco ISE is joined to an Active Directory domain, it will automatically discover the join point's trusted domains. However, not all domains may be relevant to Cisco ISE for authentication and authorization. Cisco ISE allows you to select a subset of domains from the trusted domains for authentication and authorization. This subset of domains is called authentication domains. It is recommended to define the domains where users or machines are located that you intend to authenticate, as authentication domains. Defining authentication domains enhances security by blocking domains thus restricting user authentications from taking place on these domains. It also helps optimize performance because you can skip domains that are not relevant for policies and authentication and help Cisco ISE to perform identity search operations more efficiently.

What is the reason for the ISE to enforce the LDAP connection if it is not needed for authentication and authorization?

Thanks for your answer,

János