Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3365
Views
0
Helpful
4
Replies

ISE as an LDAP server

Go to solution
dgaikwad
Level 5
Level 5

‎03-22-2019 12:14 AM

Hi All,

I have this following requirement,
Two ISE (ISE01 and ISE02) servers installed. ISE01 will act as a proxy to ISE02.
The ISE01 will query its internal endpoint database before forwarding the request to ISE02.
So, the question is that, can I use ISE02 as a LDAP server to respond to queries from ISE01?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-22-2019 04:34 AM

As far as I know, ISE doesn't operate any directory services.  Under the hood are a bunch of databases but not a directory service.

I don't quite understand the use case. 

 

ISE can perform LDAP queries to external directories such as Active Directory or OpenLDAP.  That means that an authentication request that comes to ISE can use an External Identity Source that is reachable via LDAP.  Why would you proxy that?  You can proxy a Radius request from one ISE server to another - but the point of a proxy is that it forwards on the request to the next hop, and it doesn't do anything with the request other than to decide where to forward it next.  The final hop in the chain will process the request and then return the results back the same path from whence it came, because the Radius servers will need the Radius response (Accept/Reject).

View solution in original post

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to bturner

‎11-03-2019 01:58 AM

As has been stated, ISE isn't an LDAP server. Not every tool fits the job, if your only option is to authenticate via LDAP then ISE is out of the equation.

 

If the reason you want to authenticate outside LDAP is because of the inconveniance of having to go through the infrastructure team, then that's something they can fix that for you via delegating an OU or giving your team permissions for that OU. As of that point in time you can add groups or user accounts to that OU just fine. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎03-22-2019 04:34 AM

As far as I know, ISE doesn't operate any directory services.  Under the hood are a bunch of databases but not a directory service.

I don't quite understand the use case. 

 

ISE can perform LDAP queries to external directories such as Active Directory or OpenLDAP.  That means that an authentication request that comes to ISE can use an External Identity Source that is reachable via LDAP.  Why would you proxy that?  You can proxy a Radius request from one ISE server to another - but the point of a proxy is that it forwards on the request to the next hop, and it doesn't do anything with the request other than to decide where to forward it next.  The final hop in the chain will process the request and then return the results back the same path from whence it came, because the Radius servers will need the Radius response (Accept/Reject).

0 Helpful

Go to solution
Nadav
Level 7
Level 7

‎03-22-2019 06:47 AM

Hi,

 

I feel as though your question needs to be better explained. For one thing, if ISE01 is authenticating against its own internal database then why would any LDAP service be necessary? LDAP is used to query external directory services, not for internal lookups.

 

If you meant to ask if internal users could be authenticated locally by ISE01, and if not then authenticated by ISE02 via LDAP, then the answer is no. ISE doesn't run a directory service. Also, I'm assuming ISE01 and ISE02 are within the same deployment. That means they contain the exact same user groups and endpoints, as well as the same external identity sources. So why would you want to query ISE02 for a user which is authenticating to ISE01 if they each have the same users and credentials dictated to them by the shared PAN?

 

If I misunderstood anything, feel free to elaborate.

0 Helpful

Go to solution
bturner
Level 1
Level 1
In response to Nadav

‎11-02-2019 06:57 AM

USE CASE: I want to authenticate my NAS/FTP/BACKUP storage system against my ISE Server, so that me and my team "Network Team" can manage user accounts via ISE without having to get permission from the Microsoft Team to add groups / user accounts.  The NAS only supports directory services, and gives me the option to join it to the domain or point it to LDAP.

 

I suppose ideal situation would be a basic LDAP function, that would authenticate users against ISE or the AD system based on the "Domain" that was passed as part of the LDAP bind request.  If I send ISE\iselocalaccount  then its authenticated against ISE and returns the groups associated.  If I send it as ADDOMAIN\username then it sends the request to Microsoft for User and Group information.

 

ISE would only have to respond with PASS / FAIL and Group Queries to meet the use case.

 

Unfortunately I'm not sure I will get the NAS server to start supporting TACACS or RADIUS..

Brian S. Turner
CCIE 6145
0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to bturner

‎11-03-2019 01:58 AM

As has been stated, ISE isn't an LDAP server. Not every tool fits the job, if your only option is to authenticate via LDAP then ISE is out of the equation.

 

If the reason you want to authenticate outside LDAP is because of the inconveniance of having to go through the infrastructure team, then that's something they can fix that for you via delegating an OU or giving your team permissions for that OU. As of that point in time you can add groups or user accounts to that OU just fine. 

0 Helpful
Customers Also Viewed These Support Documents