10-19-2022 01:22 PM
Hello,
We've just completed the early stages of our deployment. We've six appliances (2 3695s and 4 3655s). We've patched the devices and have installed the Admin Certificates (Internal CA Certs). They're all network connected, communicating with one another. The 3695s are PANs and MnTs, one primary the other secondary and the 3655s are PSNs.
I've reached out to our AD Team to begin AD Integration but they appear reticent about adding these devices to the Domain. And so we're at a pause. We intend to use the ISE installation for TACACS+ for Authentication and Authorization to our Network devices ; RADIUS machine authentication for our Wireless Devices and Guest Internet Access. Given these requirements, is it necessary to add integrate the ISE Appliances into our AD Domain or is it sufficient to simply create machine accounts for the ISE Appliances and have them peruse the AD Domain for authentication purposes without being Domain Members?
Thank you,
Terry
Solved! Go to Solution.
10-19-2022 11:14 PM
Joining ISE to an AD Domain is not a bad thing at all. When you "join" ISE to a domain, an object is added (ISE) to an OU of your choice. ISE does not store the credentials used during the join. Since it's now a Domain Member, it can query AD Groups and perform user lookups etc.
An alternative to using AD integration is to use LDAP to the Domain Controllers or to an AD Replica. But beware. You cannot perform all authentication types with LDAP. You can only perform simple PAP auth. You cannot do EAP-PEAP for example.
Windows AD endpoint authentication without joining ISE to the AD seems kind of pointless/impossible. I say "impossible" with a caveat because there might be a hack around this. But nobody in their right mind would not use AD to perform machine/user authentication.
Device Admin (aka TACACS) is a different discussion. There is an argument to be had for creating accounts in ISE's database for network admins. No mandatory requirement to involve AD here. But you might eventually run into a brick wall in complex environments where it might be more convenient to leverage AD users and groups.
For Guest, you don't need AD. Unless of course you want to grant guest access to your AD users (obviously).
The ISE AD software stack is a very well written and well thought out part of ISE. Why don't you spin up a small lab and let your AD's investigate?
10-19-2022 11:14 PM
Joining ISE to an AD Domain is not a bad thing at all. When you "join" ISE to a domain, an object is added (ISE) to an OU of your choice. ISE does not store the credentials used during the join. Since it's now a Domain Member, it can query AD Groups and perform user lookups etc.
An alternative to using AD integration is to use LDAP to the Domain Controllers or to an AD Replica. But beware. You cannot perform all authentication types with LDAP. You can only perform simple PAP auth. You cannot do EAP-PEAP for example.
Windows AD endpoint authentication without joining ISE to the AD seems kind of pointless/impossible. I say "impossible" with a caveat because there might be a hack around this. But nobody in their right mind would not use AD to perform machine/user authentication.
Device Admin (aka TACACS) is a different discussion. There is an argument to be had for creating accounts in ISE's database for network admins. No mandatory requirement to involve AD here. But you might eventually run into a brick wall in complex environments where it might be more convenient to leverage AD users and groups.
For Guest, you don't need AD. Unless of course you want to grant guest access to your AD users (obviously).
The ISE AD software stack is a very well written and well thought out part of ISE. Why don't you spin up a small lab and let your AD's investigate?
10-20-2022 12:27 AM
I agree with @Arne Bier's great answer.
Addtionally you'd be unable to use AD probe for profiling the devices.
10-19-2022 11:35 PM
- As stated by Arne , ISE integration with AD is common practice and the way to go forward.
M.
10-20-2022 05:59 AM
Good Morning,
I want to Thank Everyone who responded. We're still working with our AD Team to get this accomplished. I've forwarded your helpful responses.
Best Regards,
Terry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide