Cisco Cisco Identity Services Engine 1.3
Revised: August 5, 2016,
Active Directory Configuration in Cisco ISE 1.3
Active Directory Key Features in Cisco ISE 1.3
The following are some of the key features of Active Directory in Cisco ISE 1.3:
Multi-Join Support
Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active Directory joins. Cisco ISE can
connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory
multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies
for each join.
connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory
multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies
for each join.
Authentication Domains
When Cisco ISE is joined to an Active Directory domain, it will automatically discover the join point's trusted domains. However,
not all domains may be relevant to Cisco ISE for authentication and authorization. Cisco ISE allows you to select a subset of domains
from the trusted domains for authentication and authorization. This subset of domains is called authentication domains. It is
recommended to define the domains where users or machines are located that you intend to authenticate, as authentication domains.
Defining authentication domains enhances security by blocking domains thus restricting user authentications from taking place on
these domains. It also helps optimize performance because you can skip domains that are not relevant for policies and authentication
and help Cisco ISE to perform identity search operations more efficiently.
not all domains may be relevant to Cisco ISE for authentication and authorization. Cisco ISE allows you to select a subset of domains
from the trusted domains for authentication and authorization. This subset of domains is called authentication domains. It is
recommended to define the domains where users or machines are located that you intend to authenticate, as authentication domains.
Defining authentication domains enhances security by blocking domains thus restricting user authentications from taking place on
these domains. It also helps optimize performance because you can skip domains that are not relevant for policies and authentication
and help Cisco ISE to perform identity search operations more efficiently.
Identity Rewrite
This feature allows Cisco ISE to modify the username that is received from the client or a certificate, before sending it toward Active
Directory for authentication. For example, the username jdoe@amer.acme.com can be rewritten as jdoe@acme.com. Using this
feature, you can fix a username or hostname that would otherwise fail to authenticate.
Directory for authentication. For example, the username jdoe@amer.acme.com can be rewritten as jdoe@acme.com. Using this
feature, you can fix a username or hostname that would otherwise fail to authenticate.
You can also rewrite identities in certificates and process requests that come with incorrectly provisioned certificates. The same
identity rewrite rules are applicable for incoming usernames or machine names, whether they come from a non-certificate based
authentication or from within certificates.
identity rewrite rules are applicable for incoming usernames or machine names, whether they come from a non-certificate based
authentication or from within certificates.
Ambiguous Identity Resolution
If the user or machine name received by Cisco ISE is ambiguous, that is, it is not unique, it can cause problems for users when they
try to authenticate. Identity clashes occur in cases when the user does not have a domain markup, or when there are multiple identities
with the same username in more than one domain. For example, userA exists on domain1 and another userA exists on domain2. You
can use the identity resolution setting to define the scope for the resolution for such users. Cisco highly recommends you to use
qualified names such as UPN or NetBIOS. Qualified name reduces chances of ambiguity and increases performance by reducing
delays.
try to authenticate. Identity clashes occur in cases when the user does not have a domain markup, or when there are multiple identities
with the same username in more than one domain. For example, userA exists on domain1 and another userA exists on domain2. You
can use the identity resolution setting to define the scope for the resolution for such users. Cisco highly recommends you to use
qualified names such as UPN or NetBIOS. Qualified name reduces chances of ambiguity and increases performance by reducing
delays.
Group Membership Evaluation Based on Security Identifiers
ISE uses security identifiers (SIDs) for optimization of group membership evaluation. SIDs are useful for two reasons, firstly for
efficiency (speed) when the groups are evaluated, and secondly, resilience against delays if a domain is down and user is a member
of groups from that domain. When you delete a group and create a new group with same name as original, you must update SIDs to
assign new SID to the newly created group.
efficiency (speed) when the groups are evaluated, and secondly, resilience against delays if a domain is down and user is a member
of groups from that domain. When you delete a group and create a new group with same name as original, you must update SIDs to
assign new SID to the newly created group.
2