Due to instability in the AD connector between Cisco ISE and Microsoft Active Directory, triggered by highly tweaked and hardened AD configuration and change activities causing the AD nodes to flap, the connectivity between ISE and Active Directory can go down and stay down even after the specific failed AD node comes back up. The other AD servers are not used even though they stayed up.
When this occurs, the only workaround to restore the ISE connectivity to AD servers is to restart the ISE application from the ISE CLI.
This script was developed to automatically apply the workaround when the issue happens, a temporary workaround to be used until the issue is permanently fixed in software.
Cisco Products & Services:
Third-Party Products & Services:
Update the variables with the required information in the environment variables file (env_user.py).
Verify IP reachability between ISE server and the machine where the script is to run, and between ISE server and the AAA client where authentication is to be monitored.
Verify that the username & password used in the authentication checks is valid and can successfully authenticate.
Run the script by:
$ python ise_ad_script.py
Notes:
For sample runs of the script, please check the screenshots folder.
It is recommended to install the Python dependencies in a new virtual environment based on Python 2.7 or above. For information on setting up a virtual environment please check: http://docs.python-guide.org/en/latest/dev/virtualenvs/
Python package prerequisites in "requirements.txt" file which is located in the root directory of this distribution. To install them:
$ pip install -r requirements.txt
This project is licensed to you under the terms of the Cisco Sample Code License.
The script was developed to automatically apply the workaround to a connectivity issue that occurs when an AD server is restarted.
Sometimes AD servers are restarted, either by accident or on purpose during a maintenance window. When these happen, the AD connector between Cisco ISE and Microsoft Active Directory becomes unstable. This can be triggered by highly-customized and hardened AD configurations and change activities that cause AD nodes to shut down and turn on again rapidly. The triggered instability means that the connectivity between ISE and AD can go down when an AD node is restarted and stay down even after the AD node comes back up. The other active AD servers are not used regardless of state.
When this disconnect occurs, the only workaround to restore the ISE connectivity to AD servers is to restart the ISE application from the ISE CLI. This is inconvenient, especially when the affected ISE cluster is responsible for remote-access VPN authentication. In that scenario, a network engineer would have to go on-site to apply the workaround, being unable to log in via VPN. This script automates the workaround, restarting ISE and re-enabling connectivity, without having to go on-site.
When ISE disconnects from AD, you want to automatically restart the ISE application and reconnect to Active Directory. For a general overview of integrating Active Directory with Identity Services Engine, watch this video: https://www.youtube.com/watch?v=iBm993LgbFc.
Owner
Contributors
Categories
Products
Identity Services Engine (ISE)Programming Languages
PythonLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community