https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469553#M496595 <HTML><HEAD></HEAD><BODY><P>As Dustin said the ISE deployment can join multiple AD domains.&nbsp; Then it is up to you and the rule base how you authenticate against those domains.&nbsp; There would be no need to separate by PSN or anything.&nbsp; It is up to the network to utilize the PSNs as needed.&nbsp; </P><P></P><P>I guess in theory you could do something like:</P><P></P><P>PSN 1 and PSN 2 join AD domain 1</P><P>PSN 3 and PSN 4 join AD domain 2</P><P></P><P>but not sure why you would want to do that.</P></BODY></HTML> Fri, 29 Jun 2018 18:37:48 GMT paul 2018-06-29T18:37:48Z https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469551#M496593 <HTML><HEAD></HEAD><BODY><P>Hi Experts,</P><P>Want to ask whether it is feasible to have 2 separate AD for a single cluster, say segregate them by PSN?</P><P></P><P>Thanks,<BR />Wendy</P></BODY></HTML> Fri, 29 Jun 2018 10:46:18 GMT https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469551#M496593 wchik 2018-06-29T10:46:18Z https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469552#M496594 <HTML><HEAD></HEAD><BODY><P>You can have multiple AD's on a cluster, but I don't think you can have a node do one AD and the second do the other since when they are clustered, only one is able to be configured and it duplicates it to both.</P><P></P><P>You may be able to do some of it through rules, but I haven't looked if you can call out the specific node in a rule.</P></BODY></HTML> Fri, 29 Jun 2018 18:08:36 GMT https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469552#M496594 Dustin Anderson 2018-06-29T18:08:36Z https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469553#M496595 <HTML><HEAD></HEAD><BODY><P>As Dustin said the ISE deployment can join multiple AD domains.&nbsp; Then it is up to you and the rule base how you authenticate against those domains.&nbsp; There would be no need to separate by PSN or anything.&nbsp; It is up to the network to utilize the PSNs as needed.&nbsp; </P><P></P><P>I guess in theory you could do something like:</P><P></P><P>PSN 1 and PSN 2 join AD domain 1</P><P>PSN 3 and PSN 4 join AD domain 2</P><P></P><P>but not sure why you would want to do that.</P></BODY></HTML> Fri, 29 Jun 2018 18:37:48 GMT https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469553#M496595 paul 2018-06-29T18:37:48Z https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469554#M496597 <HTML><HEAD></HEAD><BODY><P>Adding to what Paul and Dustin said... which seems related to how it is done in ACS 5.x -- <A href="https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/ACS-ADIntegration/guide/Active_Directory_Integration_in_ACS_5-8.html#pgfId-417854">Joining ACS to Active Directory Domain</A></P><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD><SPAN style="color: #525252; font-family: Arial, Helvetica, sans-serif; font-size: 14px;"><EM>You can join the ACS nodes from same deployment to different AD domains. However, each node can be joined to a single AD domain. ...</EM></SPAN></TD></TR></TBODY></TABLE></BLOCKQUOTE><P></P><P>ISE 1.3+ does not have this limitation.</P><P></P><P><SPAN style="font-size: 10pt;">If 2 AD means 2 AD domain controllers, then we may use </SPAN><A href="https://technet.microsoft.com/en-us/library/dd277428.aspx" style="font-size: 10pt;">Microsoft Active Directory Sites and Services</A><SPAN style="font-size: 10pt;"> to have PSNs use the domain controllers designated to the sites that have the subnets where PSNs residing in.</SPAN></P></BODY></HTML> Fri, 29 Jun 2018 21:15:28 GMT https://community.cisco.com/t5/network-access-control/ise-single-cluster-with-2-ad/m-p/3469554#M496597 hslai 2018-06-29T21:15:28Z