topic for cisco recommended method in Network Access Control

Cisco ISE - multiple AD - trust relationships

rcianci — Mon, 11 Mar 2019 04:09:53 GMT

Hello,

I have a customer who has multple AD forests and an ISE deployment running 1.1.3.

The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.

We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.

1. Currently – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest

a. The objective here is to use a feature called Selective Authentication in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE

b. Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization

c. Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)

Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?

2. We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest

a. Same objectives as in 1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)

i. External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication

ii. Internal Forest has incoming filter to deny access to all resources in External Forest

In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?

Thanks in advance for your replies.

Robert C.

Multiple AD functionality

manjeets — Wed, 16 Apr 2014 16:17:23 GMT

Multiple AD functionality will be supported in ISE 1.3 release and it would be available in July 2013.

for cisco recommended method

Venkatesh Attuluri — Fri, 18 Apr 2014 12:20:13 GMT

for cisco recommended method of deployment with Multiple AD Domains check

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf

This functionality will be

kaaftab — Tue, 20 May 2014 13:28:18 GMT

This functionality will be added in cisco ISE 1.3 expected to be release mid of September and yes two way trust in the interm solution

ISE 1.3 is availble now and

manjeets — Thu, 20 Nov 2014 06:48:46 GMT

ISE 1.3 is availble now and its support multiple AD integration.

HI,Is there some

cyndialarconc — Mon, 24 Nov 2014 19:23:29 GMT

HI,

Is there some configuration step by step about multiple AD integration?. Is it necessary a trust relationship between the ADs?

Cisco has published a nice

Marvin Rhoads — Mon, 24 Nov 2014 21:43:15 GMT

Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:

"Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."

I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.

Find the attachment of step

manjeets — Tue, 25 Nov 2014 05:16:48 GMT

Find the attachment of step by step configuration of multiple AD integration with the ISE.

Have you tried this scenario

Stephen McBride — Wed, 26 Nov 2014 04:38:50 GMT

Have you tried this scenario in 1.3 yet? I notice you stated that one way trust seems to work in 1.1.3? Basically it would appear that a two way trust is still a requirement for multidomain forests in 1.3.

I am curious about why a two way trust is required to authenticate users in this type of setup. Not sure why an external one way trust wouldn't suffice. Does anyone have any experience with this in 1.3 as I am unable to join one of the required forests directly (due to internal policy) and the client is unwilling to configure a two way trust.