08-31-2023 04:33 AM
Hello, Cisco Community!
Connected Plant-wide Ethernet Architecture (Industry 4.0), as referenced, suggests that Identity Services (ISE) should be held at Level 3 (Site Operations) of the design, with Enterprise based Identity Services remaining outside of IDMZ, isolated within Enterprise space. Is there a use case, where Identity Services are shared? Assuming that Identity deployment can be optimised and fashioned in a way that endpoints / supplicants are able to support Microsoft PKI (as an example). Or would as the design suggests, keep identity services separate in most scenarios?
Thanks in advance.
Solved! Go to Solution.
08-31-2023 10:10 AM
Since no reference was provided, I found the Cisco Validated Designs for Digital Manufacturing > Industrial Automation design guide > Cell/Area Zone Ring Topologies with the image Figure 13 Industrial Automation Network Model and IACS Reference Architecture showing the AAA/ISE server in Industrial Zone Level 3 :
> Is there a use case, where Identity Services are shared?
Definitely. Many customers like to have a centralized policy for simplicity when all managing all access control scenarios across manufacturing and other corporate sites, organizations, departments, etc.
> endpoints / supplicants are able to support Microsoft PKI
"Microsoft PKI" is a generic term and I don't know if this means Active Directory or Azure or something else. You can see "Domain Controller" sitting next to ISE which would be your AD so ... Yes.
08-31-2023 10:10 AM
Since no reference was provided, I found the Cisco Validated Designs for Digital Manufacturing > Industrial Automation design guide > Cell/Area Zone Ring Topologies with the image Figure 13 Industrial Automation Network Model and IACS Reference Architecture showing the AAA/ISE server in Industrial Zone Level 3 :
> Is there a use case, where Identity Services are shared?
Definitely. Many customers like to have a centralized policy for simplicity when all managing all access control scenarios across manufacturing and other corporate sites, organizations, departments, etc.
> endpoints / supplicants are able to support Microsoft PKI
"Microsoft PKI" is a generic term and I don't know if this means Active Directory or Azure or something else. You can see "Domain Controller" sitting next to ISE which would be your AD so ... Yes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide