Hello everyone,
So we're progressing each day in our IA test/implementation.
After we clarified some ISE issues (psGrid 2.0 vs pxGrid 1.0), we've bumped into some new interesting information in regards to AD Global Catalog from the sk134292 and I wanted to ask, if it would be recommended to move from standard "LDAP Account Units" to LDAP AU but pointing it to Global Catalog AD port.
We were thinking to go this path, as we have an big AD environment with several sub-domains, and therefore we were dealing with 10-15 LDAP AU's (5 per Cluster to address each subdomain). The expectations if we move to LDAP AU against Global Catalog, would be to get less failed log-ins (we've seen a lot of those for identities sent from Cisco ISE without SGT's).
That would reduce those 15 LDAP AU to 3 (as we look to have IA on 3 clusters) .
Would that bring any improvement?
Thank you,
PS: also while we looked into some problems, we failed to find a way we could check from GW cli, AD resolution for an machine or username. whatever documents are out-there are AD Query related. Any hints would be appreciated.
PS2: I was browsing last week/weekend the CheckMates portal, and I remember seeing somewhere that for user identities received from ISE (without SGT), we have an CLI option to search those identities against AD also. Did I remember correctly or I'm going crazy 🙄....