topic ISE and Two distinct Windows Domains in Network Security

ISE and Two distinct Windows Domains

nowcommsupport — Fri, 21 Feb 2020 12:47:52 GMT

All,

I have a customer who wants to integrate ISE with two seperate Windows Domains, they have no trust releationship. We can integrate with one of the domains and can make use of LDAP for the other but can only get Machine Authentication working with the domain with the full integration. Machine authentication will not work with LDAP, only user authentication. The problem is the config of the switches places the client in the guest network as they fail machine auth and then client auth is not recognised by the switch. I'm thinking about either not going direct to MAB if a user fails machine auth or diabling guest all together as the porblem is a guest with a dot1x suplication is not given guest access in a timely mannor without this command. Another option I have thought about is to use the radius token external identity store to talk to a Cisco ACS server attached to the other domain.

Any help would be greatly appreciated

Thanks

Simon

ISE and Two distinct Windows Domains

jan.nielsen — Wed, 05 Dec 2012 20:23:49 GMT

When you use LDAP for AD authentication, you are limited to using EAP-TLS (certificates) or EAP-GTC (plain text passwords), so if you are at all concerned about security you will use EAP-TLS.

ISE and Two distinct Windows Domains

jan.nielsen — Wed, 05 Dec 2012 20:24:58 GMT

Here's the list of which methods are supported when using different kinds of user databases :

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1053140