Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
4
Replies

Devices to authenticate in ISE

Go to solution
adamgibs7
Level 6
Level 6

‎05-26-2018 12:47 PM - edited ‎02-21-2020 10:57 AM

Dears,

I have a general question here for the design.

 

I have a Network devices in DR and branches, My ISE server is in INSIDE network do it is a best practice to get their authentication traffic (TACACS+)  to the ISE in inside network.

 

Also I have a VPN corporate users I want to authenticate them  it will be a best practice to authenticate them on the AD by their domain password or I shld create a username in the local database of ISE.

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-26-2018 09:11 PM

Your remote network access devices would typically reach the AAA server (ISE in your case) via a VPN (or possibly MPLS private WAN) connection.

 

If you don't have any such connection then you would allow the incoming TACACS or RADIUS traffic (depending on which you use), originated from those devices only, in through your main office firewall.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎05-26-2018 02:57 PM

Hi,
I am not sure I understand the first question, can you re-phrase it?

I personally would use AD as the identity store for VPN corporate users rather than create a new user account stored in ISE database. Simply because it's one less username/password combination for that user to remember and for you to administer. Also when the user leaves the organization, the AD account will probably be disabled/deleted by existing processes therefore their VPN access would also be terminated at the same time.

HTH
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-26-2018 09:11 PM

Your remote network access devices would typically reach the AAA server (ISE in your case) via a VPN (or possibly MPLS private WAN) connection.

 

If you don't have any such connection then you would allow the incoming TACACS or RADIUS traffic (depending on which you use), originated from those devices only, in through your main office firewall.

0 Helpful

Go to solution
adamgibs7
Level 6
Level 6
In response to Marvin Rhoads

‎05-27-2018 01:47 PM

Dears

thanks for the reply

 

@Marvin Rhoads

Your remote network access devices would typically reach the AAA server (ISE in your case) via a VPN (or possibly MPLS private WAN) connection

I didn't understood the above lines

 

 

They were 2 separate question in my previous post

 

  1. I was asking in question 1 is it the correct way from security perspective to get branch and DR Network devices tacacs+  traffic to the ise server for device administration/authentication which is located in INSIDE network.
  2. so if we are authenticating VPN users on AD it is a recommended way ?? and best practice from cisco ??, don't you see we are opening a security hole by authenticating user traffic to the AD in internal network.

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to adamgibs7

‎05-27-2018 08:25 PM

The best way for remote branches and DR sites to get their TACACS+ traffic back is via a site-site VPN.

 

For remote access VPN users, they should authenticate to AD via the VPN device. Their authentication traffic is tunneled via SSL (or IKEv2 IPsec) to the VPN device (ASA or router) and then it proxies to ISE (or directly to your domain controller) to complete the authentication and authorization for the session. there is no "security hole" being exposed via this method as all traffic on the public network is encrypted.

0 Helpful
Customers Also Viewed These Support Documents