11-11-2012 07:40 PM - edited 03-10-2019 07:46 PM
Hi,
I have some new requirements as follows;
Active Directory Domain A with Certificate Authority A
Active Directory Domain B with Certificate Authority B
I would like to make sure that my understanding about this solution is correct.
Can I have ISE 1.1.2 join in to both domains ? No
Can I use AD connection with Domain A and LDAP connection with Domain B ? Yes
Does the user can be authenticated from these two domains ? May be yes, from AD and LDAP
Can I have ISE with include both root certificates of domain A and B ? Yes
Does ISE supports single name indication for SSL certificate ? No
With EAP-TLS, I have to choose only 1 domain for making EAP-TLS, right ? Yes but not sure
Regards,
PM
05-23-2014 04:19 AM
https://supportforums.cisco.com/discussion/11883331/ise-multiple-ad
05-30-2014 06:01 AM
ISE release 1.1.2 does not support Multiple AD
05-30-2014 06:36 AM
You can have ise join to one domain (domain A - local domain ) and can authenticate users from another domain (domain B - remote domain) without using LDAP instance. All you need 2-way trust relationship between domain A and B.
ISE supports multidomain forests. ISE connects to a single domain, but can access resources from the other domains in the Active Directory forest if trust relationships are established between the domain to which ISE is connected and the other domains.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/user_guide/ise11_user_guide/ise_man_id_stores.html#wp1059011
This way users from both the domains can authenticate.
Regards,
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide