Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
163
Views
2
Helpful
7
Replies

Best Practices for using ISE Authorization across multiple domains

asdraper
Level 1
Level 1

‎12-18-2024 12:57 PM

I have recently found that the way our ISE was set up, we have one Active Directory Join Point, pointing to a global catalog server so that we can authenticate users across multiple domains with trusts.  Now, we have users with active accounts in these external domains who need to have disabled accounts in our primary domain for email purposes, and so the ISE authorization finds the disabled account in the primary domain and stops looking for the active accounts in the external domains.  It sounds like the only way to work around this is to create multiple join points, then add them separately to the Identity Source Sequence with the primary domain as the last resort.  Would that be best practice?  I have all of these AuthZ requests coming from a single VPN tunnel, so I don't think I could create individual rules for each domain, I have to keep them in one rule with an appropriately ordered Identity Source Sequence.  

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎12-18-2024 01:07 PM

Authc can use one or multi identity source 

in Authz you can specify AD group

MHM

0 Helpful

asdraper
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2024 05:53 AM

Our AuthC is happening on the ASA, then passed to ISE for AuthZ.  I have the Identity groups built with rules associated with them.  The issue is it appears that the disabled user account is being found first and it fails the Authorization as being disabled.  I think I have to split the join points and create them as multiple steps in the Identity Source Sequence.  If I take a test user and remove their disabled account from my primary domain, everything works perfectly.  As soon as that account is allowed to replicate, all logins fail because ISE finds the disabled account first.  

0 Helpful

MHM Cisco World
VIP
VIP
In response to asdraper

‎12-19-2024 06:32 AM

Can I see tunnel group of ASA ?

MHM

0 Helpful

asdraper
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2024 06:43 AM

I misspoke a bit earlier. The AuthC is actually passed from the ASA to Duo, then when the user account passes AuthC then the ASA is set to hand it off to ISE for AuthZ.  

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎12-19-2024 06:03 AM

Yes, multiple join points is the answer.

This is why they are called "join points" and not simply "domain connections" - because you may join one or more domains in any way necessary up to 50 times to workaround whatever crazy AD environments that you cannot change.

asdraper
Level 1
Level 1
In response to thomas

‎12-19-2024 06:21 AM

Understood - I am cleaning up the setup that a vendor did for us years back and I suspected as much.  They made one join point and added the Domain Users group so everyone got swept up into one big rule.  I am attempting to break it all apart again.  

So then would the best practice be, even with domain trusts in place, to set up several join points, then put them all separately into the Identity Source Sequence?  Luckily in our case I believe all these disabled accounts would only be in our primary domain, so I would make that last in the sequence and hope they get picked up in their primary domains first?  The initial thought was that we were excluding some OUs by adding them as groups (and not others), but I see now that is not the case.  

 

0 Helpful
Customers Also Viewed These Support Documents