https://community.cisco.com/t5/network-access-control/can-we-join-single-cisco-ise-node-to-multiple-active-directory/m-p/5240596#M593943 <P>Is there any way I can break the trust / prevent one domain join point from looking for accounts in other domains that have a trust?</P><P>I set up a new AD join point, and the account that was previously getting grabbed by the wrong domain and coming back as disabled is now working.&nbsp; The new problem, however, is that new join point is allowing authentication from multiple domains (since there are trusts between them) but I did not set up the AD groups for that join point, so now the accounts are failing authorization.&nbsp; I'm looking at having to add all the groups across every domain into each join point so they can be authorized regardless of which join point authenticates them.&nbsp;&nbsp;</P><P>That explanation is getting a little wordy, yikes.&nbsp;&nbsp;</P> Tue, 24 Dec 2024 21:18:31 GMT asdraper 2024-12-24T21:18:31Z https://community.cisco.com/t5/network-access-control/can-we-join-single-cisco-ise-node-to-multiple-active-directory/m-p/4416882#M567803 <P>Hi,</P><P>&nbsp;</P><P>Can some one please help to get an answer as mentioned in Subject if we can join Single ISE Node to Multiple Active Directory Domain/Forest same time. I am aware Cisco ISE support upto 50 Active Directory domain joined but i am not sure if we can join Single ISE node to Multiple Active Directory forest/Domain same time or not. Can some one please help me on this.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Jun 2021 15:41:02 GMT https://community.cisco.com/t5/network-access-control/can-we-join-single-cisco-ise-node-to-multiple-active-directory/m-p/4416882#M567803 aaggarwal23 2021-06-11T15:41:02Z https://community.cisco.com/t5/network-access-control/can-we-join-single-cisco-ise-node-to-multiple-active-directory/m-p/4417073#M567805 <P>Yes.</P> <P>"50 Active Directory domain join points" means 50 unique domains/forests or 50 different places within a single domain.</P> <P>From the ISE Admin Guide:</P> <UL> <LI><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_asset_visibility.html?bookSearch=true#reference_2DED94723F2248B99730D5393E73AB56" target="_blank" rel="noopener">Configure Active Directory as an External Identity Source</A></LI> <LI><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_asset_visibility.html?bookSearch=true#concept_2D3FDBAD9F50469BA09704BF409209C7" target="_blank" rel="noopener">Support for Active Directory Multi-Join Configuration</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 11 Jun 2021 23:53:48 GMT https://community.cisco.com/t5/network-access-control/can-we-join-single-cisco-ise-node-to-multiple-active-directory/m-p/4417073#M567805 thomas 2021-06-11T23:53:48Z https://community.cisco.com/t5/network-access-control/can-we-join-single-cisco-ise-node-to-multiple-active-directory/m-p/5240596#M593943 <P>Is there any way I can break the trust / prevent one domain join point from looking for accounts in other domains that have a trust?</P><P>I set up a new AD join point, and the account that was previously getting grabbed by the wrong domain and coming back as disabled is now working.&nbsp; The new problem, however, is that new join point is allowing authentication from multiple domains (since there are trusts between them) but I did not set up the AD groups for that join point, so now the accounts are failing authorization.&nbsp; I'm looking at having to add all the groups across every domain into each join point so they can be authorized regardless of which join point authenticates them.&nbsp;&nbsp;</P><P>That explanation is getting a little wordy, yikes.&nbsp;&nbsp;</P> Tue, 24 Dec 2024 21:18:31 GMT https://community.cisco.com/t5/network-access-control/can-we-join-single-cisco-ise-node-to-multiple-active-directory/m-p/5240596#M593943 asdraper 2024-12-24T21:18:31Z