Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
10
Helpful
6
Replies

AD 2-way trust question

Go to solution
VS
Level 1
Level 1

‎10-23-2018 12:37 AM

Hello,

I have an ISE 2.2 p9 deployment. domain1.com AD joined to ISE and working well for our users.


We have a new requirement where users of domain2.com will visit our offices, use our SSID and must be authenticated by our ISE. For this 2-way trust has been configured between domain1.com and domain2.com

 

My question is - will my ISE ever communicate with domain2.com AD? Port UDP389 or whatever? My understanding is that ISE will query domain1.com AD which in turn queries domain2.com AD. Therefore no comms needed between ISE and domain2.com AD. Is this right?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to hslai

‎12-09-2018 06:23 AM

@hslai is correct. When you join ISE to a domain it tries to discover trust relations and adds them to the available authentication domains. When a request comes to the ISE, depending on the format of the username (UPN/NetBois, ex: abcd@domain1.com, domain1\abcd, abcd etc.) ISE will either reach out to that domain directly or will check them one by one by reaching out to them directly to authenticate the user. 

 

To answer your question in short : Yes, you need to allow access to each domain for ISE to authenticate users.

View solution in original post

6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎10-23-2018 05:10 AM

I am not 100% sure of the mechanics, but in my experience, when I join a domain that has trust to other domain(s), then I don't have to do anything other than ensure that the other (sub)domains are whitelisted in ISE.  The AD Join Point is done to the primary AD.  But interesting question - I think the answer is that as long as ISE can join the domain, then any sub-joined domains will automatically be reachable via that one.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-24-2018 10:13 PM

My impression is that ISE needs to contact all the domains, while working with an issue reported by Arne. But, I would try and confirm it with our engineering.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to hslai

‎10-24-2018 10:34 PM

@hslai - thanks for reminding me.  I observed this in ISE 2.2/3/4 on domains that have 2-way trust - I could see from the AD logs that each node tries to build a TCP connection to every domain controller (even the ones I didn't whitelist).

But if you can get BU to comment on that it would be great.  When working with AD it's a bit of black bix stuff (or magic).  By contrast, with an ISE LDAP connection to your AD infrastructure, you have more visibility under the hood, because you have to bind ISE to each DC explicitly - which makes more intuitive sense to the operator.  Having said that, when you configure LDAP on ISE, it doesn't give you an option about which node(s) this will be done from - I assume the config results on LDAP connections being built from ALL ISE nodes to the LDAP targets.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Arne Bier

‎11-03-2018 09:27 AM

 

But if you can get BU to comment on that it would be great.  When working with AD it's a bit of black bix stuff (or magic).

I have not received any new info. What I got previously is that ISE AD connections utilizing Microsoft Sites and Services, which is the magic bit I think.

Reading up some Microsoft articles, such as

Trust Processes and Interactions

Domain Locator Across a Forest Trust | Ask the Directory Services Team

 

It does seem the machine (i.e. ISE) needs to reach out directly to the LDAP service of the user domain in the process.

 

By contrast, with an ISE LDAP connection to your AD infrastructure, you have more visibility under the hood, because you have to bind ISE to each DC explicitly - which makes more intuitive sense to the operator.  Having said that, when you configure LDAP on ISE, it doesn't give you an option about which node(s) this will be done from - I assume the config results on LDAP connections being built from ALL ISE nodes to the LDAP targets.

 You are correct that the LDAP connections are for all ISE nodes, by default. ISE 2.2+ has the options to configure the primary and backup LDAP server for each PSN, with the checkbox "Specify server for each ISE node".

 

 

 

 

Go to solution
VS
Level 1
Level 1
In response to hslai

‎12-09-2018 05:50 AM

I can confirm that yes all ISE nodes needed to speak to the other domains as well. We had a firewall blocking the access, as soon as it was allowed authentication with the other domain's AD started working well.

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to hslai

‎12-09-2018 06:23 AM

@hslai is correct. When you join ISE to a domain it tries to discover trust relations and adds them to the available authentication domains. When a request comes to the ISE, depending on the format of the username (UPN/NetBois, ex: abcd@domain1.com, domain1\abcd, abcd etc.) ISE will either reach out to that domain directly or will check them one by one by reaching out to them directly to authenticate the user. 

 

To answer your question in short : Yes, you need to allow access to each domain for ISE to authenticate users.

Customers Also Viewed These Support Documents