12-15-2017 04:33 AM
Dear Community Support!
We have a customer with a big, distributed ISE 2.2 (with patch4) system that is integrated to an Active Directory domain consisting of two AD forests, that has two-way trust. ISE is configured to authenticate from only one of that (as shown in ad-settings.png)
Is there any way to enforce an ISE 2.2 system not to contact the DCs (number of them is above 30) of the other Forest (non-authentication domain)?
All the ISE nodes are periodically trying to contact the DCs of the other Forest via LDAP, that could be seen from the reports (see ad-connector-report.png ) as well.
As I read the https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html document I do not see any details about that, only that the other non-authentication domain will not be checked for authentication and authorization.
When Cisco ISE is joined to an Active Directory domain, it will automatically discover the join point's trusted domains. However, not all domains may be relevant to Cisco ISE for authentication and authorization. Cisco ISE allows you to select a subset of domains from the trusted domains for authentication and authorization. This subset of domains is called authentication domains. It is recommended to define the domains where users or machines are located that you intend to authenticate, as authentication domains. Defining authentication domains enhances security by blocking domains thus restricting user authentications from taking place on these domains. It also helps optimize performance because you can skip domains that are not relevant for policies and authentication and help Cisco ISE to perform identity search operations more efficiently.
What is the reason for the ISE to enforce the LDAP connection if it is not needed for authentication and authorization?
Thanks for your answer,
János
Solved! Go to Solution.
12-15-2017 08:14 AM
It could be routine DC discovery. We need the AD in debug and check the debug logs.
12-15-2017 06:29 AM
If you’re not authenticating with that domain have you tried removing it from the list?
Would recommend looking at this for deep detail about the connector<https://www.ciscolive.com/global/on-demand-library/?search=BRKSEC-2132#/session/14525434149870017MRf>
What's new in ISE Active Directory connector - BRKSEC-2132<https://www.ciscolive.com/global/on-demand-library/?search=BRKSEC-2132#/session/14525434149870017MRf>
Event
2016 Berlin
Chris Murray, Technical Leader , Cisco
12-15-2017 08:14 AM
It could be routine DC discovery. We need the AD in debug and check the debug logs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide