cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1355
Views
0
Helpful
2
Replies

ISE integration with several AD's

atapiafl@cisco.com
Cisco Employee
Cisco Employee

Hello team,

I am working in a project where we will have several companies in one campus. All the infra will be managed by the same SP. The SP wants to offer ISE service for the companies inside the campus, but they don't want to use a lot of virtual ISE instances (one per client). Is it possible to have just one ISE instance for all? Maybe joining one ISE instance with several AD's (AD per customer)? If this is possible, Can we create different policies per ISE-AD/Company?

Thanks in advance for your help.

Alex

2 Replies 2

Timothy Abbott
Cisco Employee
Cisco Employee

Alex,

ISE wasn't designed to support multi-tent environments.  That said, it may be possible depending on the size of the deployment and the use cases required of each company.  ISE has multi-forest AD support (up to 50) and you could also leverage policy sets to separate policy for each company.  You would need to have a clear understand of AAA policy for each then determine if it is something that ISE would be able to separate.

Regards,

-Tim

thomas
Cisco Employee
Cisco Employee

The AD support with ISE isn't the issue since we can do 50 Join Points to the same domain or different domains.

When you have multi-tenant, the administrative management of security information is the problem since ISE does not have the ability to segregate one tenant's information (logs, policies, etc.) from the other tenant.

If you are going to abstract this out for the tenants and be the sole manager for all tenants then it could work since you're the Admin for everyone. But if each tenant has their own Administrator then it's not going to work.