cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1100
Views
10
Helpful
4
Replies
Highlighted
Beginner

ISE and multiple AD Domains

Hello,

We have a SDA network with DNAC and ISE.

In this network we have different teams with different AD domain and PKI. (domains do not trust each other)

Users are only sharing same switches in the fabric.

 

We want to authenticate the endpoints with EAP-TLS.

Each domain computer receives a machine cert for the domain it belongs

1- Will ISE be able to check the machine certificate against each CA  and then check for a group in the corresponding AD?

2- Can I have only 1 Identity Source Sequence with all the Active Directory to acheive this?

 

3- Are there some restrictions or any caveats?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

I agree with @Mohammed al Baqari for one valid option.  Adding additional information that will hopefully be helpful:

I currently support an environment that has a similar setup that you have described.  We are running an SDA fabric with a dnac cluster and ise cluster that supports user onboarding from multiple domains that do not have any trust.  The nice thing about SDA is the mobility aspect.  One thing to keep in mind is that you will want to determine how to virtually segregate these separate domains in SDA.  What I mean by this is, are you going to rely on multiple VNs or rely heavily on policy with trustsec to control east-west traffic within a VN or two.  IMO this design decision comes down to requirements.  Just note that if clients in VN1 need to reach clients in VN2 then you will have to traverse traffic through your fusion routers and leak accordingly.  

 

1- Will ISE be able to check the machine certificate against each CA  and then check for a group in the corresponding AD?

Yes.  Make sure you have all cert chains imported into the ISE trust store.  You can setup separate ocsp client profiles that you can assign to each respective chain for cert status validation.  You can also configure separate respective crl download locations for each chain.  

2- Can I have only 1 Identity Source Sequence with all the Active Directory to acheive this?

Yes.  Note that ISE will search from the top down so order them accordingly.  Depending on how you build out your policies you may want to consider setting up separate policies for each domain.  IMO this would be cleaner, and easier to read once setup for other members (this is just a preference thing).  Since you are wishing to use certificate auth you will need to properly configure your Certificate Authentication Profile (CAP).  Within your CAP/s you specify the identity store to use (AD1, AD2, ADall, etc.), and things like what cert attribute to use for identity.  

 

3- Are there some restrictions or any caveats?

Yes.  Of the top of my head one I can think of is, ISE can support up to 50 AD integrations.  See here for more info:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

You can create domain global catalog (GC) server and add all these ADs to
it then point ISE to your GC server.

ISE can check against different CAs if you create match rules. For example
match each the issuer of the certs and validate against the corresponding
CAs.


**** please remember to rate useful posts
Highlighted
VIP Engager

I agree with @Mohammed al Baqari for one valid option.  Adding additional information that will hopefully be helpful:

I currently support an environment that has a similar setup that you have described.  We are running an SDA fabric with a dnac cluster and ise cluster that supports user onboarding from multiple domains that do not have any trust.  The nice thing about SDA is the mobility aspect.  One thing to keep in mind is that you will want to determine how to virtually segregate these separate domains in SDA.  What I mean by this is, are you going to rely on multiple VNs or rely heavily on policy with trustsec to control east-west traffic within a VN or two.  IMO this design decision comes down to requirements.  Just note that if clients in VN1 need to reach clients in VN2 then you will have to traverse traffic through your fusion routers and leak accordingly.  

 

1- Will ISE be able to check the machine certificate against each CA  and then check for a group in the corresponding AD?

Yes.  Make sure you have all cert chains imported into the ISE trust store.  You can setup separate ocsp client profiles that you can assign to each respective chain for cert status validation.  You can also configure separate respective crl download locations for each chain.  

2- Can I have only 1 Identity Source Sequence with all the Active Directory to acheive this?

Yes.  Note that ISE will search from the top down so order them accordingly.  Depending on how you build out your policies you may want to consider setting up separate policies for each domain.  IMO this would be cleaner, and easier to read once setup for other members (this is just a preference thing).  Since you are wishing to use certificate auth you will need to properly configure your Certificate Authentication Profile (CAP).  Within your CAP/s you specify the identity store to use (AD1, AD2, ADall, etc.), and things like what cert attribute to use for identity.  

 

3- Are there some restrictions or any caveats?

Yes.  Of the top of my head one I can think of is, ISE can support up to 50 AD integrations.  See here for more info:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html

View solution in original post

Highlighted

Hi Mike,
Thank you for the elaborate feedback.
Just one question, how did you deal with DNS?
I presume you needed to join each AD domain, but your ISE would rely on DNS server maybe in a "shared services" zone (maybe not part of any onboarded domains).
How do you resolve Domain Controler to join each AD domain?
Highlighted

So you could potentially get away with the Shared services zone idea. Regardless of the approach you take there are certain requirements that need to be met in order for ISE to successfully integrate with each respective AD, and to be able to fully operate properly. Several items are covered in the AD integration link shared in the earlier post. I can say that the first time I integrated with an external domain AD I ran into issues due to path connectivity and dns srv issues. I would ensure you have remote support to ensure connectivity, and engage your DNS person/team. I had to manually add forward lookup zones for the other domains, as well as add the proper srv records to make ISE happy. During your integration you can utilize the ISE AD diagnostic tool that will show you the statuses of the required functions. (Administration->Identity Management->External Identity Groups->AD-><your ad>