cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
0
Helpful
1
Replies

Regex in Authc Policy or Relying on AD trust

gtilburg
Cisco Employee
Cisco Employee

hi,

Our customer has multiple AD domains with a 2-way trust between them They have joined the ISE servers in domain1 and rely on the trust to authenticate users in domain2.

They are concerned about the performance impact of relying on the trust as 50% of the requests is for domain2.

We see 2 options:

1. Regex:
The user accounts of domain1 have a specific format (ab12345). So we could match on this using a regex and point to AD domain1 which would be configured not to authenticate any other domains.

In case there is no match, we would point to AD domain2 which also is not configured to authenticate any other domain.

The main concern we have is the performance impact on ISE of analyzing regular expressions for 5k users.

2. Rely on AD Trust

The ISE servers would join only domain1 and rely on the trust to authenticate domain2.

The main concern is performance impact on AD and delay in response.

Which of both (or any other suggestions) would be recommended?

REgards

Gert

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

I have not heard any performance concern in using Regex in authentication policy rules. In case of using tunnel protocols, such as PEAP, TTLS, or EAP-FAST, we need to make sure the outer and inner identities are the same as the Regex is most likely matching the outer ones.

Using domain trusts should be ok as well, as 5K is not a huge number. I would suggest to review the authorization policy rules so avoid un-necessary AD lookups.

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

I have not heard any performance concern in using Regex in authentication policy rules. In case of using tunnel protocols, such as PEAP, TTLS, or EAP-FAST, we need to make sure the outer and inner identities are the same as the Regex is most likely matching the outer ones.

Using domain trusts should be ok as well, as 5K is not a huge number. I would suggest to review the authorization policy rules so avoid un-necessary AD lookups.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: