Solved: ISE Multi Tenancy

axeleratorcisco · ‎09-19-2022

Is ISE 3.0 at the current time ready to authenticate users via EAP from multiple AD domains, each with their own different PKIs?

I read some threads that it is surely possible, on the other hand I see some older threads which state that ISE will generate an error and it is only possible if you separate a customer on a dedicated PSN node in the cluster.

https://community.cisco.com/t5/network-access-control/ise-two-end-user-certificates/td-p/3529859

"When I try and bind the CSR's from the second CA, the ISE tells me that I can only have one system cert used for EAP and the existing one will be replaced."

AND

"ISE supports only one single system certificate per ISE node used for the EAP server".

Greg Gibbs · ‎09-19-2022

All current available versions of ISE (including the recent 3.2) only support a single EAP certificate per node. You would need to either distribute the CA root chain that signed the ISE EAP certificate to all of the client Trusted CA stores or use separate PSNs that each use an EAP certificate that is trusted by the clients.

View solution in original post

Charlie Moreton · ‎09-22-2022

ISE is not meant for Multi-Tenancy. Certificates are not the only consideration, either. Management and access can also create issues.

If you're looking at just joining multiple domains within one agency (acquisitions, DBA, etc.) then you, you can do that. ISE can only act as an intermediate CA for the domain in which it has a bound certificate (at this point you can only have 1). Though, you CAN authenticate certificates from different domains.

You need a domain identifier to do this, whether its a full domain credential such as user@domain.com or DOMAIN\user is to be determined between you and the AD team.

View solution in original post

Greg Gibbs · ‎09-19-2022

All current available versions of ISE (including the recent 3.2) only support a single EAP certificate per node. You would need to either distribute the CA root chain that signed the ISE EAP certificate to all of the client Trusted CA stores or use separate PSNs that each use an EAP certificate that is trusted by the clients.

axeleratorcisco · ‎09-20-2022

Hi Greg, thanks for the reply. Just for my understanding and confirmation:

Do I understand it correctly that in a 2 PSN node cluster, the maximum amount of customers I can serve with EAP client authentication is 2?

Customer 1 will always be pointing to PSN node 1, and customer 2 will be pointing to PSN node 2? Thus each of these customers will have no redundancy?

Or I could serve 1 customer, where the clients of customer 1 are pointing to both PSN nodes, thus having redundancy?

Charlie Moreton · ‎09-22-2022

ISE is not meant for Multi-Tenancy. Certificates are not the only consideration, either. Management and access can also create issues.

If you're looking at just joining multiple domains within one agency (acquisitions, DBA, etc.) then you, you can do that. ISE can only act as an intermediate CA for the domain in which it has a bound certificate (at this point you can only have 1). Though, you CAN authenticate certificates from different domains.

You need a domain identifier to do this, whether its a full domain credential such as user@domain.com or DOMAIN\user is to be determined between you and the AD team.

Ideal Networks · ‎01-25-2023

@Charlie Moreton Evening Charlie, out of interest, if you had a customer with a federated Azure AD environment, assume you could use this to support multi tenant requirements? ie: Azure AAD is added as an identity store within ISE and referenced in the AuthC policies.

Admittedly root and intermediate certificates may take some planning, but would mitigate need to join multiple PSN's to different AD forests/domains?

ahollifield · ‎01-26-2023

Azure AD != AD. You cannot "join" ISE to Azure AD. Azure AD is supported using EAP-TTLS for user authentication only. Also in ISE 3.2 EAP-TLS can be used for authc and Azure AD (group membership, etc.) can be used for authz.