I believe what you are

oaklandnt · ‎06-09-2015

Is it possible to specify which Windows AD servers are used to pass authentication requests to in version 1.2.0.899?

Jagdeep Gambhir · ‎06-09-2015

With ISE 1.2 you can join it only to one Active Directory domain, however if there is two-way trust relationship between this AD and other AD domains you can also authenticate user from other AD domain via ISE.

The other option will be to join ISE 1.2 to one AD domain and configure other AD domains via LDAP connection.

Starting from ISE 1.3 there is multi-forest/multi domain AD support, so 1.3 release can be joined to multiple AD domains (up to 50 domains):

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/release_notes/ise13_rn.html#pgfId-367551

Regards,

~JG

Do rate helpful posts

ajc · ‎06-11-2015

I am not running yet 1.3 but the only way I could have a 1 to 1 connection between ISE's and DC's was using an ACL on the switch port connected to each ISE so it could only talk to an specific domain controller. I do not know if this is what you want to achieve.

AC

oaklandnt · ‎06-12-2015

Abraham,

There are four AD servers and I only wanted to authenticate to two of them. I was hoping there was a setting within ASE that I could use, if not, I think your suggestion will work.

Thank you.

nspasov · ‎06-12-2015

I believe what you are looking for can be done by using "sites and services" in your AD environment. Take a look at the following Cisco Live Presentation:

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78730&tclass=popup

I hope this helps!

Thank you for rating helpful posts!

ISE - Can I specify the AD servers that it will pass authentication requests to?