Cisco Cisco Identity Services Engine 1.3
If you do not select an Active Directory join point then the test is run on all the join points.
Step 5
Click Run All Tests on Node to start the test.
Step 6
Click View Test Details to view the details for tests with Warning or Failed status.
This table allows you to rerun specific tests, stop running tests, and view a report of specific tests.
This table allows you to rerun specific tests, stop running tests, and view a report of specific tests.
Active Directory Alarms and Reports
Cisco ISE provides various alarms and reports to monitor and troubleshoot Active Directory related activities.
Alarms
The following alarms are triggered for Active Directory errors and issues:
• Configured nameserver not available
• Joined domain is unavailable
• Authentication domain is unavailable
• Active Directory forest is unavailable
• AD Connector had to be restarted
• AD: ISE account password update failed
• AD: Machine TGT refresh failed
Reports
You can monitor Active Directory related activities through the following two reports:
• RADIUS Authentications Report—This report shows detailed steps of the Active Directory authentication and authorization.
You can find this report here: Operations > Reports > Auth Services Status > RADIUS Authentications.
• AD Connector Operations Report—The AD Connector Operations report provides a log of background operations performed
by AD connector, such as Cisco ISE server password refresh, Kerberos ticket management, DNS queries, DC discovery, LDAP,
and RPC connections management. If you encounter any Active Directory failures, you can review the details in this report to
identify the possible causes. You can find this report here: Operations > Reports > Auth Services Status > AD Connector
Operations.
and RPC connections management. If you encounter any Active Directory failures, you can review the details in this report to
identify the possible causes. You can find this report here: Operations > Reports > Auth Services Status > AD Connector
Operations.
Locate Ambiguous Identity Errors
You may encounter more than one identity with the same name in one forest. With multi join scenario this is more likely, especially
when you have several non-related companies in your Active Directory domain who have no mutual control over their usernames.
Using SAM names also increase the chances of name collision. Even NetBIOS prefix is not unique per forest. UPN works well but
alternate UPNs can collide. In all such scenarios you will encounter ambiguous identity errors.
when you have several non-related companies in your Active Directory domain who have no mutual control over their usernames.
Using SAM names also increase the chances of name collision. Even NetBIOS prefix is not unique per forest. UPN works well but
alternate UPNs can collide. In all such scenarios you will encounter ambiguous identity errors.
You can use the Authentications page under the Operations tab to look for the following attributes. These attributes can help you
understand and control which identities are actually used if you face an ambiguous identity error.
understand and control which identities are actually used if you face an ambiguous identity error.
• AD-Candidate-Identities—Whenever ambiguous identities are first located, this attribute shows the located identities. It can be
useful in determining why an identity is ambiguous.
25