12-04-2012 06:51 AM - edited 02-21-2020 04:47 AM
All,
I have a customer who wants to integrate ISE with two seperate Windows Domains, they have no trust releationship. We can integrate with one of the domains and can make use of LDAP for the other but can only get Machine Authentication working with the domain with the full integration. Machine authentication will not work with LDAP, only user authentication. The problem is the config of the switches places the client in the guest network as they fail machine auth and then client auth is not recognised by the switch. I'm thinking about either not going direct to MAB if a user fails machine auth or diabling guest all together as the porblem is a guest with a dot1x suplication is not given guest access in a timely mannor without this command. Another option I have thought about is to use the radius token external identity store to talk to a Cisco ACS server attached to the other domain.
Any help would be greatly appreciated
Thanks
Simon
12-05-2012 12:23 PM
When you use LDAP for AD authentication, you are limited to using EAP-TLS (certificates) or EAP-GTC (plain text passwords), so if you are at all concerned about security you will use EAP-TLS.
12-05-2012 12:24 PM
Here's the list of which methods are supported when using different kinds of user databases :
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1053140
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide