Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3456
Views
7
Helpful
6
Replies

ISE Policy Server and Active Directory Behaviour

Go to solution
alex.duckworth
Level 1
Level 1

‎11-17-2016 09:42 PM - edited ‎03-11-2019 12:14 AM

Hi all,

I am working on a design for ISE and was wondering if anyone can help me with this:

If I have 2 ISE policy servers, one Active Directory domain joined (server A), the other not domain joined (server B), what is the behaviour if the RADIUS requests sent to server B require AD authentication?  Does ISE pass this across to server A automatically or does authentication just fail?

Thanks in advance!

Alex

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎11-18-2016 02:12 AM

Hi Alex,

ISE can query other not joined domain and authenticate users.

We need to ensure that domain A and B should have 2-way transitive trust between them.

Regards

Gagan

ps : rate as correct  if it helps!!!!

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to alex.duckworth

‎11-18-2016 03:46 PM

Ah OK - you're right - one CAN elect not to join an individual ISE node to AD. I've never done a deployment like that but I've only done a couple dozen. :)

If you have, for instance, a Guest wireless network with DMZ-based controllers, you have a couple of options.

The recommended solution is to allow the Guest clients access from their DMZ network in to tcp/8443 (for Central Web Auth) only to the internal network PSN-based ISE portal something like this:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

You also have the option of making the PSN dual-homed - an end user-facing interface in the DMZ and an AD-facing interface on the internal network.

In both of those alternatives, the PSN is joined to AD.

I don't believe a PSN can authenticate a user to an AD identity store if the PSN is not joined to AD. I could imagine a scenario where the DMZ-based PSN only ever needed to authenticate guests but anybody trying to use internal AD credentials would then be required to get a separate Guest-only account. In that case, that PSN would only be able to process Authentications not requiring AD authentication. It would be pretty messy operationally and not a recommended deployment even if you could wrestle it into working.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎11-18-2016 02:12 AM

Hi Alex,

ISE can query other not joined domain and authenticate users.

We need to ensure that domain A and B should have 2-way transitive trust between them.

Regards

Gagan

ps : rate as correct  if it helps!!!!

Go to solution
alex.duckworth
Level 1
Level 1

‎11-18-2016 01:23 PM

Sorry, I may have not been clear.  There is no second domain.  Ideally in a perfect world ISE server B would be joined to the same Active Directory.  Since ISE server A is the only server that is domain joined and in theory the only ISE server available that can authenticate users for the domain, if a RADIUS request came to ISE server B requesting domain auth, what happens?  Would I get an Access-Reject, does it proxy it to ISE server A, does some other backend ISE request happen so that the request can be authenticated?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to alex.duckworth

‎11-18-2016 01:41 PM

Alex,

Your ISE deployment as a whole is joined to the domain. You don't join individual ISE servers (also known as nodes) one at a time to your AD domain(s) - you join the deployment to it, including all of the nodes.

The join is done from the PAN but it applies to all member servers in the ISE deployment. Authentication requests are originated from PSNs. Those PSN personas can be on the same node(s) as the primary/secondary PAN (small single of dual server deployment) or they can be distributed across many server nodes (up to 50 PSNs serving 500,000 endpoints on a full blown distributed deployment).

Please refer to Craig Hyps' presentation "BRKSEC-3699 - Designing ISE for Scale & High Availability (2016 Las Vegas)" located here:

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=90923

Go to solution
alex.duckworth
Level 1
Level 1
In response to Marvin Rhoads

‎11-18-2016 02:02 PM

Hi Marvin,

The web interface allows me to select which nodes I join to the Active Directory (or I can join all of them), and I know from my lab of two PANs, both are joined to the domain and have a computer object each in AD.  I understand there is a single join point for the deployment, but individual nodes may or may not be joined to the domain.

The context is, I may have to place a PSN in a DMZ where it cannot be joined to the domain.

Thanks,

Alex

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to alex.duckworth

‎11-18-2016 03:46 PM

Ah OK - you're right - one CAN elect not to join an individual ISE node to AD. I've never done a deployment like that but I've only done a couple dozen. :)

If you have, for instance, a Guest wireless network with DMZ-based controllers, you have a couple of options.

The recommended solution is to allow the Guest clients access from their DMZ network in to tcp/8443 (for Central Web Auth) only to the internal network PSN-based ISE portal something like this:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

You also have the option of making the PSN dual-homed - an end user-facing interface in the DMZ and an AD-facing interface on the internal network.

In both of those alternatives, the PSN is joined to AD.

I don't believe a PSN can authenticate a user to an AD identity store if the PSN is not joined to AD. I could imagine a scenario where the DMZ-based PSN only ever needed to authenticate guests but anybody trying to use internal AD credentials would then be required to get a separate Guest-only account. In that case, that PSN would only be able to process Authentications not requiring AD authentication. It would be pretty messy operationally and not a recommended deployment even if you could wrestle it into working.

0 Helpful

Go to solution
alex.duckworth
Level 1
Level 1
In response to Marvin Rhoads

‎11-20-2016 08:29 PM

I tested this earlier today.  In the logs:

22072 Selected identity source sequence - AD1_Local
15013 Selected Identity Source - AD1
24430 Authenticating user against Active Directory - AD1
24325 Resolving identity - testuser
24313 Search for matching accounts at join point - ad1.testdomain
24366 Skipping unjoined domain - ad1.testdomain
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - AD1
15013 Selected Identity Source - Internal Users
24210 Looking up User in Internal Users IDStore - testuser
24216 The user is not found in the internal users identity store
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s)

So essentially confirming what you said Marvin with regards to the PSN being unable to authenticate users to that AD identity store.

Thanks for your assistance Marvin and Gagan. :)

Alex

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents