Cisco Cisco Identity Services Engine 1.3
When you reset the Cisco ISE application configuration from the command-line interface or restore configuration after a backup or
upgrade, it performs a leave operation, disconnecting the Cisco ISE node from the Active Directory domain, if it is already joined.
However, the Cisco ISE node account is not removed from the Active Directory domain. We recommend that you perform a leave
operation from the Admin portal with the Active Directory credentials because it also removes the node account from the Active
Directory domain. This is also recommended when you change the Cisco ISE hostname.
upgrade, it performs a leave operation, disconnecting the Cisco ISE node from the Active Directory domain, if it is already joined.
However, the Cisco ISE node account is not removed from the Active Directory domain. We recommend that you perform a leave
operation from the Admin portal with the Active Directory credentials because it also removes the node account from the Active
Directory domain. This is also recommended when you change the Cisco ISE hostname.
Before You Begin
If you leave the Active Directory domain, but still use Active Directory as an identity source for authentication (either directly or as
part of an identity source sequence), authentications may fail.
part of an identity source sequence), authentications may fail.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Check the check box next to the Cisco ISE node and click Leave.
Step 3
Enter the Active Directory username and password, and click OK to leave the domain and remove the machine account
from the Cisco ISE database.
If you enter the Active Directory credentials, the Cisco ISE node leaves the Active Directory domain and deletes the Cisco
ISE machine account from the Active Directory database.
from the Cisco ISE database.
If you enter the Active Directory credentials, the Cisco ISE node leaves the Active Directory domain and deletes the Cisco
ISE machine account from the Active Directory database.
To delete the Cisco ISE machine account from the Active Directory database, the Active Directory credentials
that you provide here must have the permission to remove machine account from domain.
that you provide here must have the permission to remove machine account from domain.
Note
Step 4
If you do not have the Active Directory credentials, check the No Credentials Available check box, and click OK.
If you check the Leave domain without credentials check box, the primary Cisco ISE node leaves the Active Directory
domain. The Active Directory administrator must manually remove the machine account that was created in Active
Directory during the time of the join.
If you check the Leave domain without credentials check box, the primary Cisco ISE node leaves the Active Directory
domain. The Active Directory administrator must manually remove the machine account that was created in Active
Directory during the time of the join.
Configure Authentication Domains
The domain to which Cisco ISE is joined to has visibility to other domains with which it has a trust relationship. By default, Cisco
ISE is set to permit authentication against all those trusted domains. You can restrict interaction with the Active Directory deployment
to a subset of authentication domains. Configuring authentication domains enables you to select specific domains for each join point
so that the authentications are performed against the selected domains only. Authentication domains improves security because they
instruct Cisco ISE to authenticate users only from selected domains and not from all domains trusted from join point. Authentication
domains also improve performance and latency of authentication request processing because authentication domains limit the search
area (that is, where accounts matching to incoming username or identity will be searched). It is especially important when incoming
username or identity does not contain domain markup (prefix or suffix). Due to these reasons, configuring authentication domains is
a best practice, and we highly recommended it.
ISE is set to permit authentication against all those trusted domains. You can restrict interaction with the Active Directory deployment
to a subset of authentication domains. Configuring authentication domains enables you to select specific domains for each join point
so that the authentications are performed against the selected domains only. Authentication domains improves security because they
instruct Cisco ISE to authenticate users only from selected domains and not from all domains trusted from join point. Authentication
domains also improve performance and latency of authentication request processing because authentication domains limit the search
area (that is, where accounts matching to incoming username or identity will be searched). It is especially important when incoming
username or identity does not contain domain markup (prefix or suffix). Due to these reasons, configuring authentication domains is
a best practice, and we highly recommended it.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click the Authentication Domains tab.
A table appears with a list of your trusted domains. By default, Cisco ISE permits authentication against all trusted domains.
A table appears with a list of your trusted domains. By default, Cisco ISE permits authentication against all trusted domains.
8