Re: Internal Identity vs external identity

Eddy Lee · ‎04-03-2019

Pros and Cons of using ISE internal identity store vs external identity store - e.g AD

Nadav · ‎04-03-2019

Hi,

That's a very broad question. It boils down to the same reasons you'd use an external identity source as opposed to an internal one for most systems.

1) External sources allows for authenticating against centralized databases, which is where the vast majority of users and endpoints in an organization are likely configured. For example, Microsoft AD contains all endpoints within the domain and all users within the domain.

2) An external source means you don't need to duplicate users/endpoints/credentials, which not only removes a vast amount of technical overhead but also ensures that your external source is the single source of truth of your organization's logical assets. This includes entity information and status (locked out, disabled, etc.0.

3) An internal source may be useful for a few reasons:

3.1) Due to technical limitations when using an external identity source. For example, Windows Server 2008 and above don't support EAP-MD5 authentication so it must be used on internal users.

3.2) Allowing ISE to make policy decisions independant of any external identity source. For example, you want to create an emergency group of users which aren't located outside of ISE so that they can't be affected if your domain is compromised.

3.3) Internal database requests can be performed more times per second than external database requests. If for some reason you are unable to meet your system requirements using an external database, you might be able to do so with internal users/groups. See https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148 for more details.

I'm sure there are other factors, but those are the big ones that come to my mind.

Mike.Cifelli · ‎04-03-2019

Your question is very broad. Not sure if you are referring to just user identity groups and/or endpoint groups. However, I would like to add to @Nadav valid points:

Internal Endpoint Pros:
-If your environment will utilize device profiling you can create and auto populate local ISE endpoint groups with the profiled devices' mac addresses and drive policy via these profiled groups.
-You don't have to worry about potentially losing connectivity to your external source

Internal Endpoint Cons:
-All your eggs are in one basket
-I personally think from a design perspective in regard to driving policy you are more limited on what you can accomplish in your environment.
-You can setup ISE to automatically purge endpoints based on certain conditions.

External identity store pros:
-You can utilize built out security groups in AD for your domain members (users/objects) and not need to duplicate efforts within ISE
-You can easily manage driving policy by moving object/users in AD to other security groups

External identity store cons:
-You cannot Profile endpoints and map/auto-populate them in AD
-You rely on connectivity to your source & may possibly have all your eggs in that basket
-You cannot rely on ISE to perform endpoint automatic purges

There are a lot more reasons, but these ones popped up immediately. In my opinion you should utilize both internal/external. However, the determination will be made by your requirements. HTH!