cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1323
Views
1
Helpful
2
Replies
Ahmed.Y.Eissa
Beginner

Cisco ISE Multi Tenant AD

Current Situation: Campus includes 6 companies with separated AD and PKI.

Required to authorize user based on client certificate

In traditional way ( IF we had only one Tenant).

  1. Create DNS with ISE-01.company.com
  2. Import CA root and Sign ISE generated CSR from PKI and import it back.
  3. Build the Cluster
  4. Create Certificate profile ”Cert-Profile” profile to check client authentication validation and get “username” info. And assign it to Authentication sequence “Cert-Auth”
  5. Create  below rules

Authentication rule > if Auth “Dot1x”                 -->     then   -->    Authenticate against “Cert-Auth”

Authorization Rule > if User “part from groupX”   -->    then    -->  “Auth_profile”

In our case  6 tenant mean different AD and PKI. So how it can be done? (with and without trust between difference AD).

For Example

Without trust

  1. Create 6 DNS entries in each domain
  2. Import 6 CA root and Sign ISE generated CSR from PKI and import them back.
  3. Create Certificate profile for each tenant (Cert-Profile1, Cert-Profile2,… etc.)

Then you should differentiate between each request in order to send it to specific authentication sequence.

So in authentication phase, does domain are listed in radius attributes? or any attributes we can get to send authentication to its Cert-Profile

  And in case of trust exist between different AD , does one certificate profile will be enough

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

First of all, each ISE node uses one and only one system certificate for its EAP server, so that can be signed by only one PKI, such as self-signed, signed by one of the PKIs of the 6 companies, or signed by a well known outside CA (e.g. DigiCert). The client supplicants will need to accept and trust either such ISE EAP server certificate directly or its root CA certificate.

As to the authentication using EAP-TLS, then RADIUS.User-Name dictionary attribute can be used to direct requests to a particular certificate auth profiles. We may use the same cert auth profile if the user identity is represented in the same certificate field and if the identity store selected as either [not applicable] or All_AD_Join_Points. AD trusts mainly affect the number of AD join points.

View solution in original post

2 REPLIES 2
hslai
Cisco Employee

First of all, each ISE node uses one and only one system certificate for its EAP server, so that can be signed by only one PKI, such as self-signed, signed by one of the PKIs of the 6 companies, or signed by a well known outside CA (e.g. DigiCert). The client supplicants will need to accept and trust either such ISE EAP server certificate directly or its root CA certificate.

As to the authentication using EAP-TLS, then RADIUS.User-Name dictionary attribute can be used to direct requests to a particular certificate auth profiles. We may use the same cert auth profile if the user identity is represented in the same certificate field and if the identity store selected as either [not applicable] or All_AD_Join_Points. AD trusts mainly affect the number of AD join points.

View solution in original post

if ise should be configured to authorize users based on group attributes.

Lets say username exist in AD1 is “user”  .while issuing client certificate, CN should br “user” in certificate attributes. If you need to differentiate with another factor plus username.

Is this applicale to capture more than one attribute ? In certificate authorizatio profile you can find two options

1. Retrieve only one attribute as common name“CN”

2. Retrieve generic check on certificate attributes

#option1

Each will authenticate the user and retrieve “CN” in all AD joint points

In this scenario, ISE #performances may be affected as u send each auth request to all tenant and #user match in multi domains.

Option2

# i can not find more explanation to make sure this way is better ?

.

Content for Community-Ad