12-05-2014 06:48 AM - edited 03-10-2019 10:14 PM
Hi Support,
does anyone know whether I can perform Certificate Authentication for two different Active Directory domains using the same ISE host / deployment?
We have two forests with a trust link between them.
We have a seperate PKI in each domain.
I am thinking that the ISE can only be joined to a single domain, but because we have a trust between the two forests, the ISE can have two certificate profiles in an identity source sequence which can then use in a single authorisation policy.
I take it that I would need local certs from each CA in the local certificate store of the ISE?
We are performing a company merger and we cannot migrate users to the primary AD domain due to several reasons so we would like to use the same ISE deployment to authenticate Wireless users on both AD domains.
Thanks
Mario
12-05-2014 07:05 AM
Mario,
This is possible. Here are the guidelines for the Multi-Forest support in ISE 1.2:
You would have to set a new Certificate Authentication Profile for each domain and use the Authentication Policies to determine which of the Certificate Authentication Profiles to use.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide