Cisco ISE 1.2 and 2 Active Directory Domains

marioderosa2008 · ‎12-05-2014

Hi Support,

does anyone know whether I can perform Certificate Authentication for two different Active Directory domains using the same ISE host / deployment?

We have two forests with a trust link between them.

We have a seperate PKI in each domain.

I am thinking that the ISE can only be joined to a single domain, but because we have a trust between the two forests, the ISE can have two certificate profiles in an identity source sequence which can then use in a single authorisation policy.

I take it that I would need local certs from each CA in the local certificate store of the ISE?

We are performing a company merger and we cannot migrate users to the primary AD domain due to several reasons so we would like to use the same ISE deployment to authenticate Wireless users on both AD domains.

Thanks

Mario

Charlie Moreton · ‎12-05-2014

Mario,

This is possible. Here are the guidelines for the Multi-Forest support in ISE 1.2:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1350874

You would have to set a new Certificate Authentication Profile for each domain and use the Authentication Policies to determine which of the Certificate Authentication Profiles to use.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1349174

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.

Charles Moreton