Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
2
Replies

Can ISE 2.x utilize an ordered/priority list of AD domains for authentication.

Go to solution
kbrewer
Cisco Employee
Cisco Employee

‎04-17-2018 08:55 AM

Hi ISE Experts.

I have a customer that has two seperate ISE implementations. ISE (A) is for internal company wireless users, with access to the corporate AD user database. ISE (B) is partner managed ISE server, with access into the partner's corporate AD user database. The partner managed ISE implementation is currently used for outsourcing the management of the customer's ISR4K WAN devices.


The customer wants to remove the partner from the equation and would like to slowly transition the management of the ISR4K WAN devices in house. In order to do this, they would like to have ISE (A) additionally join the partner's AD domain for the outsourced partner WAN mgmt users. They would like the authentication on ISE (A) to be prioritized by domain, like this:

in sequence/priority:

ISE(A) - first check in house corporate AD domain for user. If user exists, authenticate using this domain. If user does not exist, check alternative partner AD domain for outsourced partner WAN mgmt user.

Is this doable?

Regards,


Kevin Brewer

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-17-2018 09:00 AM

Yes completely doable. Use an identity source sequence (ISS) to set the preference you want.  Make sure to add the relevant AD groups from each domain.  Then write a rule to allow the relevant AD groups from each domain access to the devices you want. 

I usually also allow for local ISE users for corner cases.  So your ISS would be:

  1. Corporate AD
  2. Partner AD
  3. Local ISE User Database

Call the ISS something like "Corp_Partner_Local" and use that as the authentication source for your policy sets.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
paul
Level 10
Level 10

‎04-17-2018 09:00 AM

Yes completely doable. Use an identity source sequence (ISS) to set the preference you want.  Make sure to add the relevant AD groups from each domain.  Then write a rule to allow the relevant AD groups from each domain access to the devices you want. 

I usually also allow for local ISE users for corner cases.  So your ISS would be:

  1. Corporate AD
  2. Partner AD
  3. Local ISE User Database

Call the ISS something like "Corp_Partner_Local" and use that as the authentication source for your policy sets.

0 Helpful

Go to solution
kbrewer
Cisco Employee
Cisco Employee
In response to paul

‎04-17-2018 09:28 AM

Thanks Paul,


Regards,


Kevin Brewer

0 Helpful
Customers Also Viewed These Support Documents