Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Champion
Champion

Identity Awareness communication flows

Hi,

Is there anyone who has a good overview of the IA communications in different environments?

What I'm looking for is which flows (including protocol / port numbers) are there in these setups:

  • AD - Gateway - SMS
  • AD - Gateway - MDS
  • AD - multiple gateways - SMS without Identity sharing
  • AD - multiple gateways - SMS with Identity sharing
  • AD - multiple gateways - MDS without Identity sharing
  • AD - multiple gateways - MDS with Identity sharing
  • AD - multiple gateways - SMS with Identity Collector
  • AD - multiple gateways - MDS with Identity Collector

On top of that there is the point of VSX, will each VS, that has IA enabled, connect to the AD or Identity Collector itself or will this be controlled via VS0? For the latter I would expect it to be a connection per VS, as that way you can have an independent AD connection per VS.

If anyone has a document describing this it would be highly appreciated if it could be shared here.

Regards, Maarten
3 Replies
Highlighted
Admin
Admin

In the Identity Awareness Best Practices session, we have the following diagram, which shows most of the communication flow.
While a physical gateway is shown below, you can assume it's the same for a VS (i.e. each VS will do this, not just VS0).

Screen Shot 2020-10-16 at 3.02.16 PM.png

The gateway/VS, via pdpd, talks to AD using LDAP on 389/636 to look up groups.
Identity Collector talks to the gateway/VS via port 443 (using IDA API).
Identities are shared between gateways/VS (between pdpd and pepd) using ports 15105 and 28581.

References:

0 Kudos
Reply
Highlighted
Champion
Champion

Thanks Dameon, is there any way I can get a copy of the presentation of that best practices session?

Another thing that is not shown in all documents is the comms between the SMS/MDS and the AD server. What I have seen before is that sometimes, in an MDS environment, the communcation between the MDS/DMS is mixed up a bit, for some things the MDS IP is used and some others use the DMS IP...

I'm also still a bit in the dark on the when a Identity Collector is worth the effort/money.

Regards, Maarten
Highlighted
Admin
Admin

The presentation is in the various user group sections but I’ll send you in PM.

The only time the SMS/DMS should talk to AD would be when Access Roles are initially created.
Beyond that, there should be no need for SMS/DMS to query AD.

Identity Collector is needed in large AD environments (ADQuery doesn’t scale as well) and integration with Cisco ISE.