I'm looking to deploy a Network Access Control (NAC) solution that utilizes AWS Managed Directory Service (DS) as my external identity source. My setup will be fully hosted on AWS, without any on-premise domain controllers. The goal is to map specific users within my network and require them to authenticate every time they connect. I've typically used vanilla Active Directory for this. Has anyone implemented a similar setup with AWS Managed DS? Additionally, can I perform Active Directory lookups for specific user or computer accounts connecting from on-premise? Thanks in advance!
2 Answers
I haven't done it myself, but AWS Managed Directory Service should support LDAP queries. Definitely check out the AWS documentation to get the specifics on how AD lookups work from on-premise.
Yes, it works well, but you'll need to have a RADIUS, TACACS+, or a portal service hosted, since the managed directory doesn't include legacy Windows NAC services. Keep in mind that 'NAC' can be a bit vague; it's more of a feature than a specific technology. The effectiveness really depends on your network setup.
I'm using Cisco ISE on-prem and connecting it to AWS DS for user and computer lookups. The aim is to implement 802.1X for both wired and wireless users, ideally using certificates (wondering if AWS DS can host a CA or integrate an external Windows CA) or through standard credentials. Just wanted to keep this broad to avoid complications since it's an AWS setup.