cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
1
Helpful
2
Replies

ISE to integrate with 100+ domains

Nate Zhang
Cisco Employee
Cisco Employee

Hi Experts,


We are working on a project that customer may have 100+ different AD which has no relationship (different domains like ad1.com, ad2.com) to integrate with ISE.


Some questions as following;


1. Per Cisco, ISE current version supports 50 join points as a maximum. So we want to ask the customer to create 1 master AD which has trust relationship with all the remaining 100 ADs. If we join the master AD, we can see all the remaining ones in External identity source since they are being trusted by the master.


The question is, does it really work like that? I mean even customer has thousands of different ADs, 1 master AD as a join point would be a solution?

Or , 50 join points means 50 different domains as a maximum? Please help to clarify.



2. We will have Dot1x enabled on endpoints and identity source would be the ADs above. Per Cisco, we don't recommend customer to use SAM name since identity conflict will

lead to authentication failure. ( and a lot of other reasons ). We are going to recommend UPN likes nate@test.com as the identity.


The question is, in this case, will ISE do a DNS lookup to resolve the SRV records and send the identity to correct DC for authentication by default?


It seems that we can filter out the condition (like if end with = test.com, then send to server test.com) in authentication policy.

However, since we have too many servers, I'd like to know if ISE will have the intelligence to do that by default? If not, when and where is the SRV record on DNS server being used by ISE?



3. If ISE does not have the intelligence to work out question 2, then is ISE sending the authentication request to all the AD servers?

If yes, is it by sequence (1st match 1st serve) or by one-go (send to all the ADs at the same time)?



4. In the requirement list, we have to add PTR record in DNS when we are deploying distributed mode for ISE. However, I didn't see the clear description when

and where the PTR record for ISE is required (some historical cases show that adding other nodes to PAN were failed due to PTR failure).


Could you please explain why a PTR record of ISE is mandatory on DNS server?


Thank you.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

On 1, each join point is an active directory domain that ISE joins to and can authentication and authorization user/computer objects within the same forest via parent-child trusts or tree-root trusts and other forests via two-way trusts. If ISE needs to auth objects in AD forests without trust relationships, then we create join points for a domain in each of such AD forests. I think we are supporting up to 100 domains and 200 domain controllers for each join point.

On 2 and 3, ISE does have intelligence to search for objects efficiently. However, it will still help to scope the join points. If not already done, please review this CiscoLive session BRKSEC-2132

On 4, Kerberos auth might not work properly without PTR records and ISE context visibility needs these for replications between the two ISE admin nodes.

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

On 1, each join point is an active directory domain that ISE joins to and can authentication and authorization user/computer objects within the same forest via parent-child trusts or tree-root trusts and other forests via two-way trusts. If ISE needs to auth objects in AD forests without trust relationships, then we create join points for a domain in each of such AD forests. I think we are supporting up to 100 domains and 200 domain controllers for each join point.

On 2 and 3, ISE does have intelligence to search for objects efficiently. However, it will still help to scope the join points. If not already done, please review this CiscoLive session BRKSEC-2132

On 4, Kerberos auth might not work properly without PTR records and ISE context visibility needs these for replications between the two ISE admin nodes.

dot1x.png

Thank you for your prompt reply.


I may need to dig deeper into SRV and PTR record.


The design of customer would be as below.


current environment:


AD server1

username: nate

Domain: cisco.com


AD server2

username: test

Domain: apple.com



New environment would be SDA. They will build another AD server like below;


AD server3

username: nate

username: test

Domain: my.local



AD1,2,3 have no relationship at all. They are going to integrate AD server3 with ISE.


In this case, all the required DNS records, I believe will be recorded with the information of AD3.


ISE will also call the required information of AD3(like DC information) since ISE does not know AD1 and AD2 at all.


However, from user&windows perspective, it still logs into domain to AD1 and AD2.


For example, nate logins in domain cisco.com but dot1x profile is fixed with nate.cisco@my.local/password.


From dot1x flow, I think it does not affect anything. However since PTR/SRV records are required when integrating with AD server,


May I ask , in any state or in any case that ISE really cares and needs to match the real domain which user is logged in with the integrated AD server?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: