Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10461
Views
67
Helpful
13
Replies

ISE AD Sites and Services

psullivan1984
Level 1
Level 1

‎02-21-2018 12:09 PM - edited ‎02-21-2020 10:46 AM

Have a 6 node deployment; 3 nodes in DC1 and 3 nodes in DC2. PAN primary is in DC1 and MnT is in DC2. 2 PSN per DC.

Wireless controllers are centralized at the DCs and therefore, the wireless client VLANs are local to the DC. 

We use AD sites and services. The wireless subnets were input into sites and services based on the site they wireless client are located, ie a DC local to the site (not a DC at the data center). 

I need to determine if ISE is sending the re/authentication back to the local DC (based on AD sites and services pointing the subnet to the site domain controllers) or if ISE is using the domain controller local to the data center.

 

1 person had this problem
Labels:
0 Helpful
13 Replies 13

Octavian Szolga
Level 4
Level 4

‎02-22-2018 03:23 AM - edited ‎02-22-2018 03:24 AM

Hi,

 

I don't see the connection between WIFI clients/AD Sites & Services + ISE.

If you want ISE to authenticate clients using a specific DC, ISE's subnet should be included in the same site as the DC you want to use. My thought is that the DC you're seeing in ISE AD join point is the DC you're now using.

Capture.PNG

 

 

Thanks,

Octavian

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Octavian Szolga

‎02-22-2018 12:32 PM

Hello Octavian,

i have the similar problem with some remote location with its local DC & PSN getting to central DC for authentication. In the ISE PAN i have configuration of specific FQDN (auth-ldpa.local) in Administration>External Identity Sources>LDAP>CUSTOMERSPECIFIC_AD_LDAP > LDAP Identity Source>Connection tab , which resolves into central DC from everywhere except of remote PSN where i configured "ip host <IP-of-the-site-local-DC> auth-ldap.local"to force remote PSN to go to its local DC. but it doesnt work and remote PSN explicitly shows central DC in its record in Administration>Active Directory>CUSTOMER-AD>Connection. As i understood your message, to overcome this the AD must be reconfigured with adding remote site and moving there both remote DC and remote location subnets. Is it correct?

Octavian Szolga
Level 4
Level 4
In response to andy!doesnt!like!uucp

‎02-23-2018 01:52 AM

Hi,

I think you should open a new post, but to answer your question, I think you mixed the AD part with the LDAP source sequence.

 

Use only one of them if you're referring to the same target. Why use both for the same AD setup? If your infrastructure uses AD, use the AD identity source. If you're using something else besides MS AD, use LDAP.

 

The static mapping should be used for some other scenarios (gues with different physical port on PSN).

 

For the local PSN to use the local DC, the sysadmin guys have to configure AD Sites and Services and to make sure that the subnet(s) for both the PSN and the local DC belong to the same 'Site'.

Check BRKSEC-3699 (CiscoLive) and there is another but I don't remember the number which talked exclusively about the AD Connector in ISE.

a.PNG

 

 

 

b-sec.PNG

 

 

 

 

Thanks,

Octavian

 

 

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Octavian Szolga

‎02-23-2018 02:02 AM

Hello Octavian

Many thanks for the feedback. I’ve managed to find proper BRKSEC & it states about the same u’ve just mentioned.

This document claims hard-coding of the DC’s IP in PSN as being a bad practice, but says nothing about how it can be implemented.

Do you have any hints on it?

Br, Andy

Octavian Szolga
Level 4
Level 4
In response to andy!doesnt!like!uucp

‎02-23-2018 02:06 AM - edited ‎02-23-2018 02:06 AM

Hi Andy,

 

Unfortunately, this is all I have as an MS link:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731907(v=ws.11

 

An M$ guy would know for sure :)

 

Thanks,

Octavian

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Octavian Szolga

‎02-23-2018 02:10 AM

HTTP code 404 :)
But i've been asking for the configuring PSN node itself to connect to the custom DC. U might miss sence of my Q

Octavian Szolga
Level 4
Level 4
In response to andy!doesnt!like!uucp

‎02-23-2018 05:52 AM

Hi Andy,

Sorry, I was carried away. To be honest, I'm not sure how you could do that. (and I would not do it if I were you; just use sites and services)

 

Maybe this can be of help:

https://communities.cisco.com/thread/84704?start=0&tstart=0

 

Thanks,

Octavian

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Octavian Szolga

‎02-25-2018 05:10 AM

Hi Octavian

Thank for the reference. now i'm absolutely sure that hardcoding of DC to use on PSN is done via Active Directory Advanced Tuning. But one (perhaps Cisco TAC) need to know the variable (perhaps one under REGISTRY) to implement this :)

Cheers

@Octavian Szolga wrote:

Hi Andy,

Sorry, I was carried away. To be honest, I'm not sure how you could do that. (and I would not do it if I were you; just use sites and services)

 

Maybe this can be of help:

https://communities.cisco.com/thread/84704?start=0&tstart=0

 

Thanks,

Octavian

@Octavian Szolga wrote:

Hi Andy,

Sorry, I was carried away. To be honest, I'm not sure how you could do that. (and I would not do it if I were you; just use sites and services)

 

Maybe this can be of help:

https://communities.cisco.com/thread/84704?start=0&tstart=0

 

Thanks,

Octavian

 

M@rco
Level 1
Level 1
In response to andy!doesnt!like!uucp

‎02-09-2022 01:04 AM

Hey Andi,

 

could you metion the proper BRKSEC number please?

 

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to M@rco

‎02-09-2022 01:40 PM

I believe he was referring to BRKSEC-2132 -- What's new in ISE Active Directory Connector. This session was from 2016, so it is no longer available on the CiscoLive site.

If you do a search, however, you should be able to find a copy hosted elsewhere.

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to M@rco

‎02-09-2022 11:35 PM

i think it was BRKSEC-3697 Advanced ISE Services, Tips & Tricks

but try also to use reference Gregg gave.

psullivan1984
Level 1
Level 1
In response to Octavian Szolga

‎02-23-2018 06:02 AM

Octavian, thanks for the response. So ISE will use whatever domain controller is shown under Administration > External Identity Sources > Active Director. Sites and services has no bearing on the process.

 

As far as the wireless clients "sites and services" subnets are concerned (maybe need a new thread in mobility section), since their gateways and WLCs are physically located in the data center, does it make sense to point all wireless subnets in sites and services to the domain controllers at the data centers, instead of a domain controller locally at the site? From a traffic forwarding perspective, just want to confirm it wouldn't make sense for a client to be connected to a wifi network with the gateway in the data center, forward traffic back to the domain controller, back to the data center, and then back to the client.

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to psullivan1984

‎02-23-2018 07:11 AM

Hi,

 

Sites an services functionality is related to whatever you see in ISE AD section. You have to make sure that both PSN and DC belong to the same MS site.

Regarding the WIFI clients and your APs in local mode - all traffic sent to main DC/WLC - it makes sense to configure the clients subnet to be part of the same site as the DC server, because as you said, both networks are present in the DC, not locally in the branch. So make sure that sites and services is configured correct and that your clients are using the DC DNS servers so that your traffic won't bounce back and forth from DC to branch and so on.

 

Thanks,
Octavian

 

 

Customers Also Viewed These Support Documents