Solved: SDA/ISE - Authentication/Authorisation/Profiling

ruvaugha@cisco.com · ‎04-27-2018

Hi All,

We have an opportunity where SDA currently looks to be a perfect fit for my customers needs. However, I want to clarify a couple of things, before we venture further with the conversations, and I have been advised to query the ISE community versus SDA. Would you be able to provide some insights on the below please?

SDA for Multi-Tenancy: This is a single management domain, but with multiple tenants deployed upon the fabric. How would wired/wireless users be authenticated against different authentication directories? For example, we would have ISE in place, but each tenant may have their own unique authentication directory. Would this be supported?

Following on from the above, assuming we support the multiple authentication directories, how would we assign a port to the correct VN? I assume, use automated authentication to set port characteristics? Same from a wireless perspective, ensure that hosts are in the correct SSID for on-boarding, and allocation to correct VN etc?

IoT devices: With ISE 2.4 I believe we are delivering greater IoT discovery mechanisms, from a profiling perspective. Where can I find greater detail around this for an SDA/IOT model? They are using Raspberry Pi’s and multiple other more industrial platforms from the broader IoT ecosystem (this is an IOT Centre of Excellent in Munich)

Many thanks,

Russell

Craig Hyps · ‎04-30-2018

1) ISE can authenticate users and devices through local and direct integration with its own ID stores or external ID stres like AD, LDAP and SQL. ISE can additionally proxy the original RADIUS requests to a foreign RADIUS server with similar capabilities to auth to internal and external ID stores.

2) SDA/DNA-C itself is not an authenticator of users and devices, but network access devices configured for RADIUS auth will rely on external authentication systems like ISE or possibly 3rd-party.

3) ISE can do this today. DNA-C can integrate with ISE today. It is the specific use cases for multi-tenancy that need to be hashed out. We do not cover roadmap in public forums.

Craig

View solution in original post

Craig Hyps · ‎04-29-2018

From an ISE perspective, each NAD would be managed by only one ISE instance (as defined by the RADIUS server target) and policy could be assigned based on port or other context for the tenant. ISE can integrate with many different ID stores for authentication and authorization. However, ISE does not support multiple management domains within same ISE deployment. You can also redirect auth to external RADIUS systems via proxy based on port or other RADIUS context. Each of these external ISE or 3rd-party RADIUS servers can integrate with multiple id stores. The selection of local or proxied targets is based on RADIUS context such as the username or outer identity and optional domain information included with endpoint identity (think jsmith@domain-x.com or DOMAIN-X\jsmith versus simply 'jsmith').

SDA (more specifically DNA-C) does not currently support multiple domains connected to single ISE deployment.

ISE profiling for IoT endpoints is not specific to SDA. SDA can help automate the switch configurations to optimize collection via Device Sensor, but ISE currently provides all of the classification logic. In ISE 2.4, we have extended profiling to consume endpoint data over pxGrid. For example, the Cisco Industrial Network Director (IND) has added a publisher to update ISE with detailed info on manufacturing endpoints. Also, an expanded Automation and Control library has been published to community here: https://communities.cisco.com/tags/ise-endpoint-profile

ruvaugha@cisco.com · ‎04-30-2018

Hi Craig,

Thanks for coming back to me on this. Just to be 100% clear that I am understanding the current status;

1) ISE *CAN* act as a RADIUS proxy to multiple back-end authentication platforms i.e. Active Directory, and would use context such as Username and domain information to select which back-end to authenticate against. Is my understanding here correct?

2) SDA (DNA-C) does NOT support the capability today to have multiple authentication domains in this fashion. Again, is my understanding here correct?

3) If my understanding of 1 and 2 is correct, do you know of any plans to enable this for SDA/DNA-C?