Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
25
Helpful
4
Replies

ISE Active Directory Integration - Is It Necessary?

Go to solution
zachartl
Level 1
Level 1

‎10-19-2022 01:22 PM

Hello,

We've just completed the early stages of our deployment. We've six appliances (2 3695s and 4 3655s). We've patched the devices and have installed the Admin Certificates (Internal CA Certs). They're all network connected, communicating with one another. The 3695s are PANs and MnTs, one primary the other secondary and the 3655s are PSNs. 

I've reached out to our AD Team to begin AD Integration but they appear reticent about adding these devices to the Domain. And so we're at a pause. We intend to use the ISE installation for TACACS+ for Authentication and Authorization to our Network devices ; RADIUS machine authentication for our Wireless Devices and Guest Internet Access. Given these requirements, is it necessary to add integrate the ISE Appliances into our AD Domain or is it sufficient to simply create machine accounts for the ISE Appliances and have them peruse the AD Domain for authentication purposes without being Domain Members?

Thank you,

Terry

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-19-2022 11:14 PM

Joining ISE to an AD Domain is not a bad thing at all. When you "join" ISE to a domain, an object is added (ISE) to an OU of your choice. ISE does not store the credentials used during the join. Since it's now a Domain Member, it can query AD Groups and perform user lookups etc.  

An alternative to using AD integration is to use LDAP to the Domain Controllers or to an AD Replica. But beware. You cannot perform all authentication types with LDAP. You can only perform simple PAP auth. You cannot do EAP-PEAP for example.

Windows AD endpoint authentication without joining ISE to the AD seems kind of pointless/impossible. I say "impossible" with a caveat because there might be a hack around this. But nobody in their right mind would not use AD to perform machine/user authentication.

Device Admin (aka TACACS) is a different discussion. There is an argument to be had for creating accounts in ISE's database for network admins. No mandatory requirement to involve AD here. But you might eventually run into a brick wall in complex environments where it might be more convenient to leverage AD users and groups.

For Guest, you don't need AD. Unless of course you want to grant guest access to your AD users (obviously).

The ISE AD software stack is a very well written and well thought out part of ISE. Why don't you spin up a small lab and let your AD's investigate?

 

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎10-19-2022 11:14 PM

Joining ISE to an AD Domain is not a bad thing at all. When you "join" ISE to a domain, an object is added (ISE) to an OU of your choice. ISE does not store the credentials used during the join. Since it's now a Domain Member, it can query AD Groups and perform user lookups etc.  

An alternative to using AD integration is to use LDAP to the Domain Controllers or to an AD Replica. But beware. You cannot perform all authentication types with LDAP. You can only perform simple PAP auth. You cannot do EAP-PEAP for example.

Windows AD endpoint authentication without joining ISE to the AD seems kind of pointless/impossible. I say "impossible" with a caveat because there might be a hack around this. But nobody in their right mind would not use AD to perform machine/user authentication.

Device Admin (aka TACACS) is a different discussion. There is an argument to be had for creating accounts in ISE's database for network admins. No mandatory requirement to involve AD here. But you might eventually run into a brick wall in complex environments where it might be more convenient to leverage AD users and groups.

For Guest, you don't need AD. Unless of course you want to grant guest access to your AD users (obviously).

The ISE AD software stack is a very well written and well thought out part of ISE. Why don't you spin up a small lab and let your AD's investigate?

 

Go to solution
Rob Ingram
VIP
VIP
In response to Arne Bier

‎10-20-2022 12:27 AM

I agree with @Arne Bier's great answer.

Addtionally you'd be unable to use AD probe for profiling the devices.

Go to solution
marce1000
VIP
VIP

‎10-19-2022 11:35 PM

 

 - As stated by Arne , ISE integration with AD is common practice and the way to go forward.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
zachartl
Level 1
Level 1
In response to marce1000

‎10-20-2022 05:59 AM

Good Morning,

I want to Thank Everyone who responded. We're still working with our AD Team to get this accomplished. I've forwarded your helpful responses.

Best Regards,

Terry 

0 Helpful
Customers Also Viewed These Support Documents