Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3203
Views
0
Helpful
8
Replies

Cisco ISE - multiple AD - trust relationships

rcianci
Level 1
Level 1

‎12-06-2013 08:00 AM - edited ‎03-10-2019 09:09 PM

Hello,

I have a customer who has multple AD forests and an ISE deployment running 1.1.3.

The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.

We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.

1.       Currently  – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest

     a.       The objective here is to use a feature called Selective Authentication  in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE

     b.      Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization

     c.       Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)

Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?

    

2.       We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest

     a.       Same objectives as in  1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)

          i.      External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication

          ii.      Internal Forest has incoming filter to deny access to all resources in External Forest

In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?

Thanks in advance for your replies.

Robert C.

Labels:
0 Helpful
8 Replies 8

manjeets
Level 3
Level 3

‎04-16-2014 09:17 AM

Multiple AD functionality will be supported in ISE 1.3 release and it would be available in July 2013.

 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-18-2014 05:20 AM

for cisco recommended method of deployment with Multiple AD Domains check

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf

0 Helpful

kaaftab
Level 4
Level 4

‎05-20-2014 06:28 AM

This functionality will be added in cisco ISE 1.3 expected to be release mid of September and yes two way trust in the interm solution

0 Helpful

manjeets
Level 3
Level 3

‎11-19-2014 10:48 PM

ISE 1.3 is availble now and its support multiple AD integration.

0 Helpful

cyndialarconc
Level 1
Level 1
In response to manjeets

‎11-24-2014 11:23 AM

HI,

Is there some configuration step by step about multiple AD integration?. Is it necessary a trust relationship between the ADs?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cyndialarconc

‎11-24-2014 01:43 PM

Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:

"Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."

I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.

0 Helpful

manjeets
Level 3
Level 3
In response to cyndialarconc

‎11-24-2014 09:16 PM

Find the attachment  of step by step configuration of multiple AD integration with the ISE.

 

Preview file
78 KB
0 Helpful

Stephen McBride
Level 1
Level 1

‎11-25-2014 08:38 PM

Have you tried this scenario in 1.3 yet? I notice you stated that one way trust seems to work in 1.1.3? Basically it would appear that a two way trust is still a requirement for multidomain forests in 1.3.

I am curious about why a two way trust is required to authenticate users in this type of setup. Not sure why an external one way trust wouldn't suffice. Does anyone have any experience with this in 1.3 as I am unable to join one of the required forests directly (due to internal policy) and the client is unwilling to configure a two way trust.

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents