Cisco Cisco Identity Services Engine 1.3
• All_AD_Instances is a built-in pseudo scope that is not shown in the Active Directory configuration. It is only visible as
an authentication result in policy and identity sequences. You can select this scope if you want to select all Active Directory
join points configured in Cisco ISE.
join points configured in Cisco ISE.
Scopes and Join Points in Identity Source Sequences and Authentication Policy
Cisco ISE allows you to define multiple Active Directory join points, where each join point represents a connection to a different
Active Directory domain. Each join point can be used in authentication and authorization policies and in identity sequences, as a
separate identity store. Join points can be grouped to form a scope that you can use in authentication policy, as authentication results,
and in identity source sequences.
Active Directory domain. Each join point can be used in authentication and authorization policies and in identity sequences, as a
separate identity store. Join points can be grouped to form a scope that you can use in authentication policy, as authentication results,
and in identity source sequences.
You can select individual join points as the result of authentication policy or identity source sequences, when you want to treat each
join point as a completely independent group of policy. For example, in a multi-tenant scenario, where the Cisco ISE deployment
supports independent groups with their own network devices, network device groups can be used for selection of the Active Directory
domain.
join point as a completely independent group of policy. For example, in a multi-tenant scenario, where the Cisco ISE deployment
supports independent groups with their own network devices, network device groups can be used for selection of the Active Directory
domain.
However, if Active Directory domains are regarded as part of the same enterprise without any trust between the domains, you can
use scopes to join multiple disconnected Active Directory domains and create a common authentication policy. You can thus avoid
the need for every join point represented by a different identity store to be defined in the authentication policy and to provide duplicate
rules for each domain. The actual join point that is used is included in the authentication identity store for use in the authorization
policy.
use scopes to join multiple disconnected Active Directory domains and create a common authentication policy. You can thus avoid
the need for every join point represented by a different identity store to be defined in the authentication policy and to provide duplicate
rules for each domain. The actual join point that is used is included in the authentication identity store for use in the authorization
policy.
Identity ambiguity occurs when there are multiple identities in multiple domains, where the username is same. For example, if a
username without any domain markup is not unique and Cisco ISE is configured to use a passwordless protocol such as EAP-TLS,
there are no other criteria to locate the right user, so Cisco ISE fails the authentication with an ambiguous identity error. If you
encounter such ambiguous identities, you can use specific scopes or join points in authentication policy rules or use identity source
sequences. For example, you can direct users of specific network device groups to use a specific Active Directory scope or even a
single join point, to limit the search scope. Similarly, you can create a rule as follows: if the identity ends with @some.domain, use
a specific Active Directory join point. This helps to direct authentications to the right join point.
username without any domain markup is not unique and Cisco ISE is configured to use a passwordless protocol such as EAP-TLS,
there are no other criteria to locate the right user, so Cisco ISE fails the authentication with an ambiguous identity error. If you
encounter such ambiguous identities, you can use specific scopes or join points in authentication policy rules or use identity source
sequences. For example, you can direct users of specific network device groups to use a specific Active Directory scope or even a
single join point, to limit the search scope. Similarly, you can create a rule as follows: if the identity ends with @some.domain, use
a specific Active Directory join point. This helps to direct authentications to the right join point.
Create a New Scope to Add Active Directory Join Points
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click Scope Mode.
A default scope called Initial_Scope is created, and all the current join points are placed under this scope.
A default scope called Initial_Scope is created, and all the current join points are placed under this scope.
Step 3
To create more scopes, click Add.
Step 4
Enter a name and a description for the new scope.
Step 5
Click Submit.
Read-Only Domain Controllers
The following operations are supported on read-only domain controllers:
• Kerberos user authentication
12