Cisco Cisco Identity Services Engine 2.0
Reports
You can monitor Active Directory related activities through the following two reports:
• RADIUS Authentications Report—This report shows detailed steps of the Active Directory authentication and authorization.
You can find this report here: Operations > Reports > Auth Services Status > RADIUS Authentications.
• AD Connector Operations Report—The AD Connector Operations report provides a log of background operations performed
by AD connector, such as Cisco ISE server password refresh, Kerberos ticket management, DNS queries, DC discovery, LDAP,
and RPC connections management. If you encounter any Active Directory failures, you can review the details in this report to
identify the possible causes. You can find this report here: Operations > Reports > Auth Services Status > AD Connector
Operations.
and RPC connections management. If you encounter any Active Directory failures, you can review the details in this report to
identify the possible causes. You can find this report here: Operations > Reports > Auth Services Status > AD Connector
Operations.
Locate Ambiguous Identity Errors
You may encounter more than one identity with the same name in one forest. With multi join scenario this is more likely, especially
when you have several non-related companies in your Active Directory domain who have no mutual control over their usernames.
Using SAM names also increase the chances of name collision. Even NetBIOS prefix is not unique per forest. UPN works well but
alternate UPNs can collide. In all such scenarios you will encounter ambiguous identity errors.
when you have several non-related companies in your Active Directory domain who have no mutual control over their usernames.
Using SAM names also increase the chances of name collision. Even NetBIOS prefix is not unique per forest. UPN works well but
alternate UPNs can collide. In all such scenarios you will encounter ambiguous identity errors.
You can use the Authentications page under the Operations tab to look for the following attributes. These attributes can help you
understand and control which identities are actually used if you face an ambiguous identity error.
understand and control which identities are actually used if you face an ambiguous identity error.
• AD-Candidate-Identities—Whenever ambiguous identities are first located, this attribute shows the located identities. It can be
useful in determining why an identity is ambiguous.
• AD-Resolved-Identities—After the identity is located and is used in operations such as authentication, get-groups and
get-attributes, this attribute is updated with the identity located. This might be more than one in case of identity clash.
• AD-Resolved-Providers—This attribute provides the Active Directory join point on which the identity was found.
View Active Directory Joins for a Node
You can use the Node View button on the Active Directory page to view the status of all Active Directory join points for a given
Cisco ISE node or a list of all join points on all Cisco ISE nodes.
Cisco ISE node or a list of all join points on all Cisco ISE nodes.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Source > Active Directory.
Step 2
Click Node View.
Step 3
Select a node from the ISE Node drop-down list.
The table lists the status of Active Directory by node. If there are multiple join points and multiple Cisco ISE nodes in a
deployment, this table may take several minutes to update.
The table lists the status of Active Directory by node. If there are multiple join points and multiple Cisco ISE nodes in a
deployment, this table may take several minutes to update.
Step 4
Click the join point Name link to go to that Active Directory join point page and perform other specific actions.
Step 5
Click the Diagnostic Summary link to go to the Diagnostic Tools page to troubleshoot specific issues. The diagnostic
tool displays the latest diagnostics results for each join point per node.
tool displays the latest diagnostics results for each join point per node.
25