Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Cisco Employee

ISE integration with several AD's

Hello team,

I am working in a project where we will have several companies in one campus. All the infra will be managed by the same SP. The SP wants to offer ISE service for the companies inside the campus, but they don't want to use a lot of virtual ISE instances (one per client). Is it possible to have just one ISE instance for all? Maybe joining one ISE instance with several AD's (AD per customer)? If this is possible, Can we create different policies per ISE-AD/Company?

Thanks in advance for your help.


Everyone's tags (3)
Cisco Employee

Re: ISE integration with several AD's


ISE wasn't designed to support multi-tent environments.  That said, it may be possible depending on the size of the deployment and the use cases required of each company.  ISE has multi-forest AD support (up to 50) and you could also leverage policy sets to separate policy for each company.  You would need to have a clear understand of AAA policy for each then determine if it is something that ISE would be able to separate.



Cisco Employee

Re: ISE integration with several AD's

The AD support with ISE isn't the issue since we can do 50 Join Points to the same domain or different domains.

When you have multi-tenant, the administrative management of security information is the problem since ISE does not have the ability to segregate one tenant's information (logs, policies, etc.) from the other tenant.

If you are going to abstract this out for the tenants and be the sole manager for all tenants then it could work since you're the Admin for everyone. But if each tenant has their own Administrator then it's not going to work.