Solved: Devices to authenticate in ISE

adamgibs7 · ‎05-26-2018

Dears,

I have a general question here for the design.

I have a Network devices in DR and branches, My ISE server is in INSIDE network do it is a best practice to get their authentication traffic (TACACS+) to the ISE in inside network.

Also I have a VPN corporate users I want to authenticate them it will be a best practice to authenticate them on the AD by their domain password or I shld create a username in the local database of ISE.

Thanks

Marvin Rhoads · ‎05-26-2018

Your remote network access devices would typically reach the AAA server (ISE in your case) via a VPN (or possibly MPLS private WAN) connection.

If you don't have any such connection then you would allow the incoming TACACS or RADIUS traffic (depending on which you use), originated from those devices only, in through your main office firewall.

View solution in original post

Rob Ingram · ‎05-26-2018

Hi,
I am not sure I understand the first question, can you re-phrase it?

I personally would use AD as the identity store for VPN corporate users rather than create a new user account stored in ISE database. Simply because it's one less username/password combination for that user to remember and for you to administer. Also when the user leaves the organization, the AD account will probably be disabled/deleted by existing processes therefore their VPN access would also be terminated at the same time.

HTH

Marvin Rhoads · ‎05-26-2018

Your remote network access devices would typically reach the AAA server (ISE in your case) via a VPN (or possibly MPLS private WAN) connection.

If you don't have any such connection then you would allow the incoming TACACS or RADIUS traffic (depending on which you use), originated from those devices only, in through your main office firewall.

adamgibs7 · ‎05-27-2018

Dears

thanks for the reply

@Marvin Rhoads

Your remote network access devices would typically reach the AAA server (ISE in your case) via a VPN (or possibly MPLS private WAN) connection

I didn't understood the above lines

They were 2 separate question in my previous post

I was asking in question 1 is it the correct way from security perspective to get branch and DR Network devices tacacs+ traffic to the ise server for device administration/authentication which is located in INSIDE network.
so if we are authenticating VPN users on AD it is a recommended way ?? and best practice from cisco ??, don't you see we are opening a security hole by authenticating user traffic to the AD in internal network.

Thanks

Marvin Rhoads · ‎05-27-2018

The best way for remote branches and DR sites to get their TACACS+ traffic back is via a site-site VPN.

For remote access VPN users, they should authenticate to AD via the VPN device. Their authentication traffic is tunneled via SSL (or IKEv2 IPsec) to the VPN device (ASA or router) and then it proxies to ISE (or directly to your domain controller) to complete the authentication and authorization for the session. there is no "security hole" being exposed via this method as all traffic on the public network is encrypted.