Solved: ISE 2.4 TACACS - One-Way Trust between ADs

NaveenG_Wi-Fi · ‎04-07-2019

I am planning to migrate TACACS service from ACS to ISE. The AD domains of the ACS/ISE/Switches/Routers/Firewalls are as follows:

ACS - bank.company.com
ISE - retail.company.com
Switches/Routers/Firewalls - bank.company.com
Network Admin - Have credentials in both AD domains bank.company.com && retail.company.com

Currently, ISE is a TACACS service only for Retails domain devices. ACS is a TACACS server for Bank domain devices. I would like to have only one central TACACS server, which is ISE. There is only one-way trust between the two domains and the domain 'bank.company.com' appears as -'Unusable Domain' in ISE. bank.company.com TRUSTS retail.company.com, but not vice versa

I have started with a Test device in bank.company.com. But, authentication fails for the network admin providing 'bank.company.com' AD domain user credentials.
I see the following in ISE logs: "AD-Error-Details Domain trust is one-way".

Should we have two-way trust between the domains? Doesn't the AD domain 'retail.company.com' redirect the request to 'bank.company.com' AD domain for user authentication since there exists one-way trust?

Please advise.

Damien Miller · ‎04-07-2019

You can join ISE directly to 50 AD domains. Since you can't leverage one way trusts for authentication this would be the way to solve this. You can reference both external AD joins in same ID sequence to keep it simple.

View solution in original post

Damien Miller · ‎04-07-2019

You can join ISE directly to 50 AD domains. Since you can't leverage one way trusts for authentication this would be the way to solve this. You can reference both external AD joins in same ID sequence to keep it simple.