Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
5
Helpful
2
Replies

Ise Authentication to two different forests second using External Radius, Not LDAP

joeyrego214543
Level 1
Level 1

‎03-03-2014 11:28 AM - edited ‎03-10-2019 09:29 PM

Hi Guys,

I am hoping someone can help me.  We currently have two AD forests one for staff and one for students.  These forests do not have a two way trust between them nor do we want to. We currently have Ise 1.2 integration with our Student forest using AD working just fine. The ipads and other devices are playing nicely and cooperating well.    We want to get our staff to be able to use ISE as well.  Currently there is no way to use two AD forests so I was directed to use LDAP instead for the second domain.  Unfortunatley after playing around with it LDAP doesn't support mschapv2 which our mobile devices like ipads do play nicely with.  This causes an issue only because we would have to utilize certificates to get everything to work correctly.  This is not the route we want to go.  So i was speaking to Tac and they recommended using an External Radius server.  Then modify my auth profiles to look for the domain name in the authentication string.  If it starts for example student\ then i can have ise forward the auth request to the AD integrated PSNs for auth.  If the auth string starts with staff\ for example i should be able to forward this request to my external radius server. 

This sounds all good in theory but i have not found any documentation to support this to help me configure it.  Has anyone tried this approach?  Or have any leads on where i can find some good documentation as to what radius servers are supported.  I am hoping Windows server 2008 R2 with a radius role installed, but i am just not sure.

If anyone can help i would greatly appreciate it.

Thank you

Joey

Labels:
0 Helpful
2 Replies 2

Mathieu Sturm
Level 1
Level 1

‎03-04-2014 02:51 AM

I've had to use an external radius server as well for outgoing eduroam users. I created 2 external radius servers (don't think it matters what sort of radius server it is) and made an new radius server sequence (where I selected those 2 external radius servers). Next I created an new authorization profile where I in my case I filter by ssid. Next you change your "Allowed Protocols" => "Radius Server Sequence" and select the server sequence you just created. At the authorization profile you can filter on Username (see image).student.png

0 Helpful

Naveen Kumar
Level 4
Level 4

‎03-05-2014 07:56 PM

That is correct! Cisco ISE supports integration with a single Active  Directory identity source. Cisco ISE uses this Active Directory identity  source to join itself to an Active Directory domain. If this Active  Directory source has a multidomain forest, trust relationships must  exist between its domain and the other domains in order for Cisco ISE to  retrieve information from all domains within the forest.

However,  you may create multiple instances for LDAP. Cisco ISE can communicate  via LDAP to Active Directory servers in an untrusted domain. The only  limitation you would see with LDAP being a database that it doesn't  support PEAP MSCHAPv2 ( native microsoft supplicant). However it does  suppport EAP-TLS.

For more information you may go through the below listed link

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents