Cisco ISE EAP-Chaining when AD is down

hany_i_a · ‎09-16-2019

i have ISE setup for wired users . EAP-chaining using machine certificate and user credentials form active directory . the requirements is when the active directory is down we need the ISE to fall back to internal database and maintain the operation by any workaround . even if manual action on the ISE is needed .

Colby LeMaire · ‎09-16-2019

To fallback to the ISE internal database for user authentication would mean that you would have to create accounts for every user in ISE that matches what is in AD. Not good. Your best option if you need user authentication is to assign certificates to the users too. With EAP-TLS, there is no need for ISE to communicate with AD unless you are checking for group membership. And the group membership check would fail if AD is down anyway.

You could have some rules that are usually disabled when AD is running and if AD were to go down, you could enable those rules that are above the normal ones. Those rules would allow access with just a successful machine authentication. But again, manual intervention is not ideal and there will always be a delay from when someone detects a problem with AD and notifies someone that has the rights to ISE to enable the rules.

Go with user certificates and don't do a check for group membership if it is just for Domain Users or Domain Computers since every computer joined will be a member of Domain Computers and every user in AD will be a member of Domain Users. That is a useless check.

hany_i_a · ‎09-16-2019

thanks for your reply . actually the case is all machines will be members of the domain (domain computers) and no group membership will be used , so no problem here for the computer authentication . the problem is in the user as my authorization policy will be based on the user group membership in the domain . for example :

AD\user_group1 will have DACL1

AD\user_group2 will have DACL2

so there will be group membership check for users .

to fallback this should I create local groups in ISE and create local users with the same usernames and passwords and put them in the same local groups that mapped from the domain groups ? will this scenario be applicable if the AD is down .

Colby LeMaire · ‎09-16-2019

Trying to create a username/password in ISE for every AD user alone is crazy. The bigger issue is trying to keep the passwords in sync when the users change their passwords in AD. That is too much of an administrative nightmare. Even with scripting and using the API, there is too much that could go wrong.

From an operational standpoint, I think you are overthinking this. If AD were down, the users would have issues with other applications and resource access so is there really any value to putting all this work in to give them access to the network during an AD outage. I would argue that the effort should be placed on troubleshooting AD and getting that up as quickly as possible.

hany_i_a · ‎09-16-2019

in the EAP chaining authorization policy if i use :

condition : member of "domain computers" and network access> EAP tunnel > eap-fast and network access> eap chaining results = "user failed but machine succeeded"

in this case will this require contacting the domain to authenticate the machine ?

hany_i_a · ‎09-17-2019

i understand your point . but what happen is sometimes there is instability in the domain that affects the authentication process all over the network . customer asked for fall back scenario that can be made manual , and effective .

if the machine is authenticating EAP-TLS and in the ISE authorization policy i used the following condition :

condition : member of "domain computers" and network access> EAP tunnel > eap-fast and network access> eap chaining results = "user failed but machine succeeded"

in this case will the ISE need to contact the domain to check if the machine is in domain computers ?

Mike.Cifelli · ‎09-17-2019

I agree with @Colby LeMaire. IMO AD servers are critical infrastructure so the concern should be to ensure that they are up. AD being down does not only affect network auth for policy pushes, but other things like domain services, CAC authentication, DNS, etc. I would not focus on creating local accounts in ISE. I think an alternative solution would be to configure an auth-fail vlan in your NAD 8021x configs that would dump them elsewhere such as a restricted area. However, I am assuming the customer would want the users/comps to have full network access. If that is the case then I would stay clear of the auth-fail vlan idea. Good luck & HTH!