Hi there,
we have a Health Trust that is split into 7 organisations, who each plan to deploy their own ISE Instances, as well as their own WLCs. Additionally, they each have their own AD domains, separately managed.
They would, however, like doctors/staff members to be able to roam among buildings, and authenticate to a common SSID.
We could approach this from the perspective of defining each ISE instance in each WLC, and that would probably work. I am looking into whether we could define just the local ISE instance on each WLC, and use ISE RADIUS Proxy to proxy authentications back to a staff member's home ISE instance.
Is this worth exploring as a design option? The customer has already dismissed the idea of a central Admin node and PSNs in each Trust.
As a follow-on question, they would like a guest that initially authenticates in one Hospital to be able to roam to any other hospital in the trust w/o having to re-authenticate for a certain duration (days/weeks)...
Best regards,
Brian