02-04-2016 04:10 AM - edited 03-10-2019 11:27 PM
Hello guys,
Would like opinions to a scalable authentication strategy of users and / or workstations in Cisco ISE for the following scenario:
Customer with approximately 130 branches. Each branch has a different AD domain, without trust relationship with the HQ and with the other branches.
Knowing that the ISE supports integration with up to 50 domains, which suggestion for this case?
Regards,
Daniel Stefani
Solved! Go to Solution.
02-22-2016 10:14 AM
Stefani,
Sure it will work, you can even use a centralized CA architecture, just make sure you can distribute these certificates to the endpoints...
Another option is to check if the AD User account is restricted (disabled, locked out, expired, password expired, and so on) via LDAP, but you need the username equals some field in the certificate (CN or SAN).
regards,
Fabio
02-04-2016 06:57 AM
That is right. - Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active Directory joins. Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join. More information - ISE 1.3 & AD integration.
02-04-2016 07:45 AM
Hi Jatin Katyal, Thank you.
What the strategy for the other 80 branches?
Regards,
Daniel Stefani
02-04-2016 06:29 PM
Hi Daniel,
Let me get back to you on this.
~ Jatin
02-05-2016 09:17 AM
Hi Jatin,
thank you. I wait.
Best Regards,
Daniel Stefani
02-05-2016 10:21 AM
Might not be ideal from a configuration standpoint, but you could build LDAP connections to the 80 remote branches, setup the user/group search base (CN=Users,DC=domain,DC=local and etc.) and then in your authentication policies, check network device group then set the LDAP server for that site to process the request.
02-11-2016 04:44 AM
Hi JJohnston, thanks for aswer...use LDAP may be an alternative.
I was thinking of doing authentication using digital certificates only.
Each branch would have a CA (Windows) to generate and distribute a certificate to authenticate workstations.
In ISE, I would create authentication and authorization policies to validate these certificates(Workstatios).
Not sure if this design can work, but it is what I have in mind right now.
What do you think ?
Best Regards,
Daniel Stefani
02-22-2016 10:14 AM
Stefani,
Sure it will work, you can even use a centralized CA architecture, just make sure you can distribute these certificates to the endpoints...
Another option is to check if the AD User account is restricted (disabled, locked out, expired, password expired, and so on) via LDAP, but you need the username equals some field in the certificate (CN or SAN).
regards,
Fabio
03-10-2016 01:57 PM
Thank you Fabio.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide