Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
8
Replies

Cisco ISE - Authentication Strategy

Go to solution
Daniel Stefani
Level 1
Level 1

‎02-04-2016 04:10 AM - edited ‎03-10-2019 11:27 PM

Hello guys,

Would like opinions to a scalable  authentication strategy of users and / or workstations in Cisco ISE for the following scenario:

Customer with approximately 130 branches. Each branch has a different AD domain, without trust relationship with the HQ and with the other branches.

Knowing that the ISE supports integration with up to 50 domains, which suggestion for this case?

Regards,
Daniel Stefani

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
fabioacarneiro
Level 1
Level 1
In response to Daniel Stefani

‎02-22-2016 10:14 AM

Stefani,

Sure it will work, you can even use a centralized CA architecture, just make sure you can distribute these certificates to the endpoints...

Another option is to check if the AD User account is restricted (disabled, locked out, expired, password expired, and so on) via LDAP, but you need the username equals some field in the certificate (CN or SAN).

regards,

Fabio

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-04-2016 06:57 AM

That is right. - Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active Directory joins. Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join. More information - ISE 1.3 & AD integration.

~Jatin
0 Helpful

Go to solution
Daniel Stefani
Level 1
Level 1
In response to Jatin Katyal

‎02-04-2016 07:45 AM

Hi Jatin Katyal, Thank you.

What the strategy for the other 80 branches?

Regards,
Daniel Stefani

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Daniel Stefani

‎02-04-2016 06:29 PM

Hi Daniel,

Let me get back to you on this.

~ Jatin

~Jatin
0 Helpful

Go to solution
Daniel Stefani
Level 1
Level 1
In response to Jatin Katyal

‎02-05-2016 09:17 AM

Hi Jatin,

thank you. I wait.

Best Regards,

Daniel Stefani

0 Helpful

Go to solution
jj27
Spotlight
Spotlight
In response to Daniel Stefani

‎02-05-2016 10:21 AM

Might not be ideal from a configuration standpoint, but you could build LDAP connections to the 80 remote branches, setup the user/group search base (CN=Users,DC=domain,DC=local and etc.) and then in your authentication policies, check network device group then set the LDAP server for that site to process the request.

0 Helpful

Go to solution
Daniel Stefani
Level 1
Level 1
In response to jj27

‎02-11-2016 04:44 AM

Hi JJohnston, thanks for aswer...use LDAP may be an alternative.
I was thinking of doing authentication using digital certificates only.
Each branch would have a CA (Windows) to generate and distribute a certificate to authenticate workstations.
In ISE, I would create authentication and authorization policies to validate these certificates(Workstatios).
Not sure if this design can work, but it is what I have in mind right now.

What do you think ?

Best Regards,

Daniel Stefani

0 Helpful

Go to solution
fabioacarneiro
Level 1
Level 1
In response to Daniel Stefani

‎02-22-2016 10:14 AM

Stefani,

Sure it will work, you can even use a centralized CA architecture, just make sure you can distribute these certificates to the endpoints...

Another option is to check if the AD User account is restricted (disabled, locked out, expired, password expired, and so on) via LDAP, but you need the username equals some field in the certificate (CN or SAN).

regards,

Fabio

0 Helpful

Go to solution
Daniel Stefani
Level 1
Level 1
In response to fabioacarneiro

‎03-10-2016 01:57 PM

Thank you Fabio.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents