cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

649
Views
0
Helpful
1
Replies
gtilburg
Cisco Employee

Regex in Authc Policy or Relying on AD trust

hi,

Our customer has multiple AD domains with a 2-way trust between them They have joined the ISE servers in domain1 and rely on the trust to authenticate users in domain2.

They are concerned about the performance impact of relying on the trust as 50% of the requests is for domain2.

We see 2 options:

1. Regex:
The user accounts of domain1 have a specific format (ab12345). So we could match on this using a regex and point to AD domain1 which would be configured not to authenticate any other domains.

In case there is no match, we would point to AD domain2 which also is not configured to authenticate any other domain.

The main concern we have is the performance impact on ISE of analyzing regular expressions for 5k users.

2. Rely on AD Trust

The ISE servers would join only domain1 and rely on the trust to authenticate domain2.

The main concern is performance impact on AD and delay in response.

Which of both (or any other suggestions) would be recommended?

REgards

Gert

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

I have not heard any performance concern in using Regex in authentication policy rules. In case of using tunnel protocols, such as PEAP, TTLS, or EAP-FAST, we need to make sure the outer and inner identities are the same as the Regex is most likely matching the outer ones.

Using domain trusts should be ok as well, as 5K is not a huge number. I would suggest to review the authorization policy rules so avoid un-necessary AD lookups.

View solution in original post

1 REPLY 1
hslai
Cisco Employee

I have not heard any performance concern in using Regex in authentication policy rules. In case of using tunnel protocols, such as PEAP, TTLS, or EAP-FAST, we need to make sure the outer and inner identities are the same as the Regex is most likely matching the outer ones.

Using domain trusts should be ok as well, as 5K is not a huge number. I would suggest to review the authorization policy rules so avoid un-necessary AD lookups.

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel