cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1122
Views
0
Helpful
5
Replies
NaveenG_Wi-Fi
Beginner

ISE 2.3 Trust between two AD domains

Hi,

 

I am trying to migrate TACACS services of a group of devices from ACS to ISE 2.3. The devices belong to a domain (ab.se) different from ISE's domain (cd.net) . Is it mandatory to have two-way trust between the two domains in order to whitelist the domain (that of devices whose TACACS server is going to be changed from ACS to ISE)  ?  Currently the trust is one way (cd.net trusts ab.se). The domain cd.net is currently showing as 'Unusable Domains' and not under 'Whitelisted Domains'.

1 ACCEPTED SOLUTION

Accepted Solutions

If there is no AD requirement to establish a trust between the two domains I wouldn't do it just for ISE.  Have ISE join both domain and setup an identity source sequence to check both domains.  The only issue you have to watch out for is people having the same ID in both domains.  ISE will check the domains in the order you specify them in the identity source sequence.  If the username is not domain qualified and the same account exists in both domains the account in the first domain specified will be used.  The admins can always use domain\user to specify the domain.

View solution in original post

5 REPLIES 5
Arne Bier
VIP Advisor

Hi

 

I had to read and re-read your question many times because I don't understand why you are referring to the "device's" domain or even "ISE's" domain in the context of AD.  The way I see it, it's very straightforward.  Every ISE node can join one or more AD domains.  it's typical that the PSN joins at least one AD domain because the PSN node is the one that needs to perform user authentication.  It doesn't matter what domain the PSN is on (e.g. internal.net).  When you join the PSN to an AD domain, you enter the domain you wish to join.  If you want to join domain  abc.com then enter abc.com.  If however abc.com has a two-way trust relationship with corp.com, then you can join corp.com and then white list abc.com.  But I don't see the point of that unless you also need to authenticate to the corp.com domain.  But direct, or indirect join works fine.

The domains of the network devices themselves doesn't matter at all.  it has nothing to do with AD.

Hello Arne,

 

Hope this gives you little clarity.

 

Current scenario:

Devices (cd.net) -->>ACS (cd.net) -->> AD database (cd.net)

 

Proposed scenario-  Replacing ACS with ISE:

Devices (cd.net) -->>ISE (ab.se) -->> AD database (cd.net)

 

Without whitelisting cd.net, would the ISE be able to talk to Active Directory Database sitting in cd.net domain ?

 

I am guessing you mean the administrators of the devices are using credentials in cd.net. If there is no trust between ab.net and cd.net you can have ISE join both ab.net and cd.net and create a sequence to check both domains if you want.  If all your network admin accounts are in cd.net and all your other use cases are in cd.net you can just have ISE join cd.net.  If there is a two way trust between ab.net and cd.net then ISE just needs to join ab.net and you make sure cd.net is in the whitelisted domains.

Hello Paul,

You are right. The admins of few devices are in cd.net. Most of the other devices are administered in ab.net domain where the ISE also sits in. I would want the ISE to remain in only one domain i.e., ab.net. 

 

 So, whitelisting the cd.net domain is the solution ? And it is done by establishing two way trust between the two domains ? Obviously we don't have option in ISE to manually whitelist a domain. Please correct me if I am wrong.

 

Regards,

Naveen

If there is no AD requirement to establish a trust between the two domains I wouldn't do it just for ISE.  Have ISE join both domain and setup an identity source sequence to check both domains.  The only issue you have to watch out for is people having the same ID in both domains.  ISE will check the domains in the order you specify them in the identity source sequence.  If the username is not domain qualified and the same account exists in both domains the account in the first domain specified will be used.  The admins can always use domain\user to specify the domain.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube