cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

991
Views
0
Helpful
1
Replies
NaveenG_Wi-Fi
Beginner

ISE 2.4 TACACS - One-Way Trust between ADs

I am planning to migrate TACACS service from ACS to ISE. The AD domains of the ACS/ISE/Switches/Routers/Firewalls are as follows:


ACS - bank.company.com
ISE - retail.company.com
Switches/Routers/Firewalls - bank.company.com
Network Admin - Have credentials in both AD domains bank.company.com && retail.company.com


Currently, ISE is a TACACS service only for Retails domain devices. ACS is a TACACS server for Bank domain devices. I would like to have only one central TACACS server, which is ISE. There is only one-way trust between the two domains and the domain 'bank.company.com' appears as -'Unusable Domain' in ISE. bank.company.com TRUSTS retail.company.com, but not vice versa

I have started with a Test device in bank.company.com. But, authentication fails for the network admin providing 'bank.company.com' AD domain user credentials.
I see the following in ISE logs: "AD-Error-Details Domain trust is one-way".

 

Should we have two-way trust between the domains? Doesn't the AD domain 'retail.company.com' redirect the request to 'bank.company.com' AD domain for user authentication since there exists one-way trust?

 

Please advise.

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

You can join ISE directly to 50 AD domains. Since you can't leverage one way trusts for authentication this would be the way to solve this. You can reference both external AD joins in same ID sequence to keep it simple.

View solution in original post

1 REPLY 1
Damien Miller
VIP Advisor

You can join ISE directly to 50 AD domains. Since you can't leverage one way trusts for authentication this would be the way to solve this. You can reference both external AD joins in same ID sequence to keep it simple.
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube