Re: ISE Fallback with AD Best Practice

ahmedaburaihan · ‎07-16-2024

Hallo Everyone!

In situations where we configured Active Directory as an External Identity Source, it is not a good idea to create the same user and password both in AD and also in ISE as Internal User. What are Best Practices to achieve Fallback when our AD is down?

It is normal that sometimes AD becomes in-accessible and we cannot authenticate to ISE, there has to be a Failover/fallback function by which we could smoothly be authenticated.

Thank you for an answer!

Maddy

ammahend · ‎07-16-2024

Most organization has redundancy at AD level, when you join ISE to AD, you don't join a specific IP, you join the domain, The failover mechanism is built into the AD integration, ensuring that if the primary domain controller is unreachable, ISE can still function using the secondary or tertiary controllers.

I have seen some deployments where IT admin accounts were also configured local on ISE also for TACACS, but not for every domain user, it would be very hard to manage and not scalable

-hope this helps-

ahmedaburaihan · ‎07-18-2024

@ammahend
I understand that it is not considered a best practice because of the scalability issue. However, there has to be a better mechanism to deal in case an AD user wants to authenticate and fails to get network access. Do you suggest a better solution within ISE rather than failover mechanism im AD?

ammahend · ‎07-18-2024

You are not limited to single external identity source, you can integrate multiple external identity sources with ISE and use them in identity source sequence, natively within ise local user database is your option.

-hope this helps-

MHM Cisco World · ‎07-16-2024

not all auth can use internal

if you use auth that can done by internal and external and you add order in such external check first then internal then I think it can work

MHM

Rob Ingram · ‎07-18-2024

@ahmedaburaihan is it a likely scenario where all ISE nodes are up but all the AD Domain Controllers are inacccessible? AD DCs are critical infrastructure, which is usually designed to be completely resilent.

You could use EAP-TLS for authentication, then no reliance on AD, unless you perform AD lookups to determine group membership, in which case you need to ensure AD is as resilent as ISE is.

ahmedaburaihan · ‎07-20-2024

@Rob Ingram I took a worst case scenario into consideration, I agree that you could use EAP-TLS, what if the user comes from different machines in different times? It would also not be scalable.

Rob Ingram · ‎07-20-2024

@ahmedaburaihan you mean if the user logins into another computer they have not used before and does not have a user certificate? In that scenario you could just authenticate using computer authentication, as the computer should always have a certificate (assuming GPO's setup correctly).

AD is tightly integrated with other server resources, so in the scenario when AD is down, then even if the computer/users are authenticated by ISE (by what ever authentication method), then it's likely the users would have problems accessing those resources anyway.

In short make AD as resilent as ISE (and DNS).

ahmedaburaihan · ‎07-22-2024

@Rob Ingram Right, it could be done. But in cases where AD not so tightly used, it is an option to integrate AD with ISE for authentication of users and in case AD is not reachable or the user/group is disabled then we can have the same amount of users/groups in ISE. This can help. In some scenarios using Certificates also do not scale very well, suppose in cases where the same Computer is used by two different users who have differnt access rights. How would you deal that?

Rob Ingram · ‎07-22-2024

@ahmedaburaihan if you are assigning a TrustSec SGT or a DACL to restrict user access to the network upon user authorisation, then just using computer authentication won't help, as there would be no way to differentiate between the different logged in users. If you are merely authenticating user/computers to the network and then relying on the users rights when accessing the applications, then computer authentication would suffice.

How would you synchronise the user accounts from AD to ISE database? I think managing another user datastore (ISE) for authentication in case AD goes down is impractical, will create unneccessary complexity and harder to manage.

ahmedaburaihan · ‎07-22-2024

@Rob Ingram
How would you synchronise the user accounts from AD to ISE database? I think managing another user datastore (ISE) for authentication in case AD goes down is impractical, will create unneccessary complexity and harder to manage.
Any other alternative??? For example in cases where you are intending to login to DNAC with users inside AD, using Auth_Profiles, you could assign AV_PAIR and get it in DNAC, assign the Role. But what if AD user is not accessing due a problem in AD. Here is what local user database is needed in ISE which is impractical. I am highlighting the same point, what else could be done?

Marvin Rhoads · ‎07-22-2024

Typically the plan for such a scenario is to use Critical Auth VLANs. The thinking is, as some have already noted, that ISE and AD can both be unavailable and users will still be granted network access. As soon as ISE and AD are back online, the authentication will be available once again and endpoints will be properly authorized.

ahmedaburaihan · ‎07-22-2024

@Marvin Rhoads in Situations where u have to set AuthZ policies and AD roles (AD+DNAC), auth VLANS won't work. If u say so, would be glade if u could give an example.

Marvin Rhoads · ‎07-22-2024

@ahmedaburaihan this guide provides a detailed example:

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-37997926