Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8801
Views
10
Helpful
4
Replies

ISE and multiple AD Domains

Go to solution
REJR77
Level 1
Level 1

‎02-24-2020 04:20 AM - last edited on ‎03-13-2020 04:00 PM by Community Manager

Hello,

We have a SDA network with DNAC and ISE.

In this network we have different teams with different AD domain and PKI. (domains do not trust each other)

Users are only sharing same switches in the fabric.

 

We want to authenticate the endpoints with EAP-TLS.

Each domain computer receives a machine cert for the domain it belongs

1- Will ISE be able to check the machine certificate against each CA  and then check for a group in the corresponding AD?

2- Can I have only 1 Identity Source Sequence with all the Active Directory to acheive this?

 

3- Are there some restrictions or any caveats?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-24-2020 06:30 AM - edited ‎02-24-2020 06:31 AM

I agree with @Mohammed al Baqari for one valid option.  Adding additional information that will hopefully be helpful:

I currently support an environment that has a similar setup that you have described.  We are running an SDA fabric with a dnac cluster and ise cluster that supports user onboarding from multiple domains that do not have any trust.  The nice thing about SDA is the mobility aspect.  One thing to keep in mind is that you will want to determine how to virtually segregate these separate domains in SDA.  What I mean by this is, are you going to rely on multiple VNs or rely heavily on policy with trustsec to control east-west traffic within a VN or two.  IMO this design decision comes down to requirements.  Just note that if clients in VN1 need to reach clients in VN2 then you will have to traverse traffic through your fusion routers and leak accordingly.  

 

1- Will ISE be able to check the machine certificate against each CA  and then check for a group in the corresponding AD?

Yes.  Make sure you have all cert chains imported into the ISE trust store.  You can setup separate ocsp client profiles that you can assign to each respective chain for cert status validation.  You can also configure separate respective crl download locations for each chain.  

2- Can I have only 1 Identity Source Sequence with all the Active Directory to acheive this?

Yes.  Note that ISE will search from the top down so order them accordingly.  Depending on how you build out your policies you may want to consider setting up separate policies for each domain.  IMO this would be cleaner, and easier to read once setup for other members (this is just a preference thing).  Since you are wishing to use certificate auth you will need to properly configure your Certificate Authentication Profile (CAP).  Within your CAP/s you specify the identity store to use (AD1, AD2, ADall, etc.), and things like what cert attribute to use for identity.  

 

3- Are there some restrictions or any caveats?

Yes.  Of the top of my head one I can think of is, ISE can support up to 50 AD integrations.  See here for more info:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html

View solution in original post

4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-24-2020 05:27 AM

You can create domain global catalog (GC) server and add all these ADs to
it then point ISE to your GC server.

ISE can check against different CAs if you create match rules. For example
match each the issuer of the certs and validate against the corresponding
CAs.


**** please remember to rate useful posts
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-24-2020 06:30 AM - edited ‎02-24-2020 06:31 AM

I agree with @Mohammed al Baqari for one valid option.  Adding additional information that will hopefully be helpful:

I currently support an environment that has a similar setup that you have described.  We are running an SDA fabric with a dnac cluster and ise cluster that supports user onboarding from multiple domains that do not have any trust.  The nice thing about SDA is the mobility aspect.  One thing to keep in mind is that you will want to determine how to virtually segregate these separate domains in SDA.  What I mean by this is, are you going to rely on multiple VNs or rely heavily on policy with trustsec to control east-west traffic within a VN or two.  IMO this design decision comes down to requirements.  Just note that if clients in VN1 need to reach clients in VN2 then you will have to traverse traffic through your fusion routers and leak accordingly.  

 

1- Will ISE be able to check the machine certificate against each CA  and then check for a group in the corresponding AD?

Yes.  Make sure you have all cert chains imported into the ISE trust store.  You can setup separate ocsp client profiles that you can assign to each respective chain for cert status validation.  You can also configure separate respective crl download locations for each chain.  

2- Can I have only 1 Identity Source Sequence with all the Active Directory to acheive this?

Yes.  Note that ISE will search from the top down so order them accordingly.  Depending on how you build out your policies you may want to consider setting up separate policies for each domain.  IMO this would be cleaner, and easier to read once setup for other members (this is just a preference thing).  Since you are wishing to use certificate auth you will need to properly configure your Certificate Authentication Profile (CAP).  Within your CAP/s you specify the identity store to use (AD1, AD2, ADall, etc.), and things like what cert attribute to use for identity.  

 

3- Are there some restrictions or any caveats?

Yes.  Of the top of my head one I can think of is, ISE can support up to 50 AD integrations.  See here for more info:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html

Go to solution
REJR77
Level 1
Level 1
In response to Mike.Cifelli

‎02-25-2020 01:18 AM

Hi Mike,
Thank you for the elaborate feedback.
Just one question, how did you deal with DNS?
I presume you needed to join each AD domain, but your ISE would rely on DNS server maybe in a "shared services" zone (maybe not part of any onboarded domains).
How do you resolve Domain Controler to join each AD domain?
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to REJR77

‎02-25-2020 05:51 AM

So you could potentially get away with the Shared services zone idea. Regardless of the approach you take there are certain requirements that need to be met in order for ISE to successfully integrate with each respective AD, and to be able to fully operate properly. Several items are covered in the AD integration link shared in the earlier post. I can say that the first time I integrated with an external domain AD I ran into issues due to path connectivity and dns srv issues. I would ensure you have remote support to ensure connectivity, and engage your DNS person/team. I had to manually add forward lookup zones for the other domains, as well as add the proper srv records to make ISE happy. During your integration you can utilize the ISE AD diagnostic tool that will show you the statuses of the required functions. (Administration->Identity Management->External Identity Groups->AD-><your ad>
0 Helpful
Customers Also Viewed These Support Documents