If you use Active Directory as your external identity source, and the connection to Active Directory is lost, then you must
join all Cisco ISE nodes with Active Directory again. After the joins are complete, perform the external identity source call
flows to ensure the connection.
-
After upgrade, if you log in to the Cisco ISE user interface using an Active Directory administrator account, your login fails
because Active Directory join is lost during upgrade. You must use the internal administrator account to log in to Cisco ISE
and join Active Directory with it.
-
If you enabled certificate-based authentication for administrative access to Cisco ISE, and used Active Directory as your
identity source, then you will not be able to launch the ISE login page after upgrade. This because the join to Active Directory
is lost during upgrade. To restore joins to Active Directory, connect to the Cisco ISE CLI, and start the ISE application
in safe mode by using the following command:
application start ise safe
After Cisco ISE starts in safe mode, perform the following tasks:
-
Log in to the Cisco ISE user interface using the internal administrator account.
If you do not remember your password or if your administrator account is locked, see Administrator Access to Cisco ISE in the Administrators Guide for information on how to reset an administrator password.
-
Join Cisco ISE with Active Directory.
For more information about joining Active Directory, see:
Configure Active Directory as an External Identity Source
Certificate Attributes Used with Active Directory
Cisco ISE identifies users using the attributes SAM, CN, or both. Cisco ISE, Release 2.2 Patch 5 and above, and 2.3 Patch
2 and above, use the sAMAccountName
attribute as the default attribute. In earlier releases, both SAM and CN attributes were searched by default. This behavior
has changed in Release 2.2 Patch 5 and above, and 2.3 Patch 2 and above, as part of CSCvf21978 bug fix. In these releases, only the sAMAccountName attribute is used as the default attribute.
You can configure Cisco ISE to use SAM, CN, or both, if your environment requires it. When SAM and CN are used, and the value
of the SAMAccountName attribute is not unique, Cisco ISE also compares the CN attribute value.
To configure attributes for Active Directory identity search:
-
1. Choose . In the Active Directory window, click Advanced Tools, and choose Advanced Tuning. Enter the following details:
-
ISE Node—Choose the ISE node that is connecting to Active Directory.
-
Name—Enter the registry key that you are changing. To change the Active Directory search attributes, enter: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\IdentityLookupField
-
Value—Enter the attributes that ISE uses to identify a user:
-
SAM—To use only SAM in the query (this option is the default).
-
CN—To use only CN in the query.
-
SAMCN—To use CN and SAM in the query.
-
Comment—Describe what you are changing, for example: Changing the default behavior to SAM and CN.
-
2. Click Update Value to update the registry.
A pop-up window appears. Read the message and accept the change. The AD connector service in ISE restarts.