Solved: Re: Cisco ISE Multi Tenant AD

Ahmed.Y.Eissa · ‎01-14-2018

Current Situation: Campus includes 6 companies with separated AD and PKI.

Required to authorize user based on client certificate

In traditional way ( IF we had only one Tenant).

Create DNS with ISE-01.company.com
Import CA root and Sign ISE generated CSR from PKI and import it back.
Build the Cluster
Create Certificate profile ”Cert-Profile” profile to check client authentication validation and get “username” info. And assign it to Authentication sequence “Cert-Auth”
Create below rules

Authentication rule > if Auth “Dot1x” --> then --> Authenticate against “Cert-Auth”

Authorization Rule > if User “part from groupX” --> then --> “Auth_profile”

In our case 6 tenant mean different AD and PKI. So how it can be done? (with and without trust between difference AD).

For Example

Without trust

Create 6 DNS entries in each domain
Import 6 CA root and Sign ISE generated CSR from PKI and import them back.
Create Certificate profile for each tenant (Cert-Profile1, Cert-Profile2,… etc.)

Then you should differentiate between each request in order to send it to specific authentication sequence.

So in authentication phase, does domain are listed in radius attributes? or any attributes we can get to send authentication to its Cert-Profile

And in case of trust exist between different AD , does one certificate profile will be enough

hslai · ‎01-15-2018

First of all, each ISE node uses one and only one system certificate for its EAP server, so that can be signed by only one PKI, such as self-signed, signed by one of the PKIs of the 6 companies, or signed by a well known outside CA (e.g. DigiCert). The client supplicants will need to accept and trust either such ISE EAP server certificate directly or its root CA certificate.

As to the authentication using EAP-TLS, then RADIUS.User-Name dictionary attribute can be used to direct requests to a particular certificate auth profiles. We may use the same cert auth profile if the user identity is represented in the same certificate field and if the identity store selected as either [not applicable] or All_AD_Join_Points. AD trusts mainly affect the number of AD join points.

View solution in original post

hslai · ‎01-15-2018

First of all, each ISE node uses one and only one system certificate for its EAP server, so that can be signed by only one PKI, such as self-signed, signed by one of the PKIs of the 6 companies, or signed by a well known outside CA (e.g. DigiCert). The client supplicants will need to accept and trust either such ISE EAP server certificate directly or its root CA certificate.

As to the authentication using EAP-TLS, then RADIUS.User-Name dictionary attribute can be used to direct requests to a particular certificate auth profiles. We may use the same cert auth profile if the user identity is represented in the same certificate field and if the identity store selected as either [not applicable] or All_AD_Join_Points. AD trusts mainly affect the number of AD join points.

Ahmed.Y.Eissa · ‎01-26-2018

if ise should be configured to authorize users based on group attributes.

Lets say username exist in AD1 is “user” .while issuing client certificate, CN should br “user” in certificate attributes. If you need to differentiate with another factor plus username.

Is this applicale to capture more than one attribute ? In certificate authorizatio profile you can find two options

1. Retrieve only one attribute as common name“CN”

2. Retrieve generic check on certificate attributes

#option1

Each will authenticate the user and retrieve “CN” in all AD joint points

In this scenario, ISE #performances may be affected as u send each auth request to all tenant and #user match in multi domains.

Option2

# i can not find more explanation to make sure this way is better ?

.