https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788169#M56316 <P>Thank you Fabio.</P> Thu, 10 Mar 2016 21:57:55 GMT Daniel Stefani 2016-03-10T21:57:55Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788161#M56293 <P>Hello guys,</P> <P>Would like opinions to a scalable &nbsp;authentication strategy of users and / or workstations in Cisco ISE for the following scenario:</P> <P>Customer with approximately 130 branches. Each branch has a different AD domain, without trust relationship with the HQ&nbsp;and with the other branches.</P> <P>Knowing that the ISE supports integration with up to 50 domains, which suggestion for this case?</P> <P>Regards,<BR />Daniel Stefani</P> Mon, 11 Mar 2019 06:27:22 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788161#M56293 Daniel Stefani 2019-03-11T06:27:22Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788162#M56299 <P><SPAN style="font-size: 10pt;">That is right. - Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active Directory joins. <STRONG>Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them.</STRONG> Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies </SPAN><SPAN style="font-size: 10pt;">for each join. More information - <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-ADIntegrationDoc/b_ISE-ADIntegration.pdf">ISE 1.3 &amp; AD integration</A>.</SPAN></P> <P><SPAN style="font-size: 10pt;"></SPAN></P> Thu, 04 Feb 2016 14:57:54 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788162#M56299 Jatin Katyal 2016-02-04T14:57:54Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788163#M56302 <P>Hi Jatin Katyal, Thank you.</P> <P></P> <P>What the strategy for the other 80 branches?</P> <P></P> <P><SPAN>Regards,</SPAN><BR /><SPAN>Daniel Stefani</SPAN></P> Thu, 04 Feb 2016 15:45:53 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788163#M56302 Daniel Stefani 2016-02-04T15:45:53Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788164#M56306 <P><SPAN style="font-size: 10pt;">Hi Daniel,</SPAN></P> <P><SPAN style="font-size: 10pt;">Let me get back to you on this.</SPAN></P> <P><SPAN style="font-size: 10pt;">~ Jatin</SPAN></P> Fri, 05 Feb 2016 02:29:43 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788164#M56306 Jatin Katyal 2016-02-05T02:29:43Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788165#M56307 <P>Hi Jatin,</P> <P>thank you. I wait.</P> <P></P> <P>Best Regards,</P> <P>Daniel Stefani</P> Fri, 05 Feb 2016 17:17:06 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788165#M56307 Daniel Stefani 2016-02-05T17:17:06Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788166#M56309 <P>Might not be ideal from a configuration standpoint, but you could build LDAP connections to the 80 remote branches, setup the user/group search base (CN=Users,DC=domain,DC=local and etc.) and then in your authentication policies, check network device group&nbsp;then set the LDAP server for that site to process the request.</P> Fri, 05 Feb 2016 18:21:40 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788166#M56309 jj27 2016-02-05T18:21:40Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788167#M56311 <P>Hi JJohnston, thanks for aswer...use LDAP may be an alternative.<BR />I was thinking of doing authentication using digital certificates only.<BR />Each branch would have a CA (Windows) to generate and distribute a certificate to authenticate workstations.<BR />In ISE, I would create authentication and authorization policies to validate these certificates(Workstatios).<BR />Not sure if this design can work, but it is what I have in mind right now.</P> <P>What do you think ?</P> <P></P> <P>Best Regards,</P> <P>Daniel Stefani</P> Thu, 11 Feb 2016 12:44:12 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788167#M56311 Daniel Stefani 2016-02-11T12:44:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788168#M56313 <P>Stefani,</P> <P>Sure it will work, you can even use a centralized CA architecture, just make sure you can distribute these certificates to the endpoints...</P> <P>Another option is to check if the AD <SPAN class="content">User account is restricted (disabled, locked out, expired, password expired, and so on) via LDAP, but you need the username equals some field in the certificate (CN or SAN).</SPAN></P> <P><SPAN class="content"></SPAN></P> <P><SPAN class="content">regards,</SPAN></P> <P><SPAN class="content">Fabio</SPAN></P> Mon, 22 Feb 2016 18:14:10 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788168#M56313 fabioacarneiro 2016-02-22T18:14:10Z https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788169#M56316 <P>Thank you Fabio.</P> Thu, 10 Mar 2016 21:57:55 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-strategy/m-p/2788169#M56316 Daniel Stefani 2016-03-10T21:57:55Z