Cisco Cisco Identity Services Engine 1.3
5
If the DC site and client site are not the same, the AD Connector performs a DNS SRV query scoped to the discovered client site,
gets the list of domain controllers serving the client site, sends CLDAP ping requests to these domain controllers, and processes
only the first response, if any. The response originator (that is, DC) is selected. If there is no DC in the client's site serving the
site or no DC currently available in the site, then the DC detected in Step 2 is selected.
gets the list of domain controllers serving the client site, sends CLDAP ping requests to these domain controllers, and processes
only the first response, if any. The response originator (that is, DC) is selected. If there is no DC in the client's site serving the
site or no DC currently available in the site, then the DC detected in Step 2 is selected.
You can influence the domain controllers that Cisco ISE uses by creating and using an Active Directory site. See the Microsoft Active
Directory documentation on how to create and use sites.
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection
before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are
selected. You can create a list of preferred DCs in the following cases:
Directory documentation on how to create and use sites.
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection
before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are
selected. You can create a list of preferred DCs in the following cases:
• The SRV records are bad, missing or not configured.
• The site association is wrong or missing or the site cannot be used.
• The DNS configuration is wrong or cannot be edited.
DC Failover
Domain controller (DC) failover can be triggered by the following conditions:
• The AD connector detects if the currently selected DC becomes unavailable during the LDAP, RPC, or Kerberos communication
attempt. The DC might be unavailable because it is down or has no network connectivity. In such cases, the AD connector
initiates DC selection and fails over to the newly selected DC.
initiates DC selection and fails over to the newly selected DC.
• The DC is up and responds to the CLDAP ping, but AD connector cannot communicate with it for some reason, for example
if the RPC port is blocked, the DC is in the broken replication state, or the DC has not been properly decommissioned. In such
cases, the AD connector initiates DC selection with a black list (“bad” DC is placed in the black list) and tries to communicate
with the selected DC. Neither the DC selected with the blacklist nor the blacklist is cached.
cases, the AD connector initiates DC selection with a black list (“bad” DC is placed in the black list) and tries to communicate
with the selected DC. Neither the DC selected with the blacklist nor the blacklist is cached.
DNS Failover
You can configure up to three DNS servers and one domain suffix. If you are using Active Directory identity store sequence in Cisco
ISE, you must ensure that all the DNS servers can answer forward and reverse DNS queries for any possible Active Directory DNS
domain you want to use. DNS failover happens only when the first DNS is down, the failover DNS should have the same recorder
as the first DNS. If a DNS server fails to resolve a query, the DNS client does not try another DNS server. By default, DNS server
retries the query twice and timeout the query in 3 seconds.
ISE, you must ensure that all the DNS servers can answer forward and reverse DNS queries for any possible Active Directory DNS
domain you want to use. DNS failover happens only when the first DNS is down, the failover DNS should have the same recorder
as the first DNS. If a DNS server fails to resolve a query, the DNS client does not try another DNS server. By default, DNS server
retries the query twice and timeout the query in 3 seconds.
Resolve Identity Algorithm
For an identity, different algorithms are used to locate the user or machine object based on the type of identity, whether a password
was supplied, and whether any domain markup is present in the identity. Following are the different algorithms used by Cisco ISE
to resolve different types of identities.
was supplied, and whether any domain markup is present in the identity. Following are the different algorithms used by Cisco ISE
to resolve different types of identities.
If the identity has been rewritten according to configured identity rewrite rules, then identity resolution
is applied to the rewritten identity.
is applied to the rewritten identity.
Note
28