Solved: ISE single cluster with 2 AD

wchik · ‎06-29-2018

Hi Experts,

Want to ask whether it is feasible to have 2 separate AD for a single cluster, say segregate them by PSN?

Thanks,
Wendy

paul · ‎06-29-2018

As Dustin said the ISE deployment can join multiple AD domains. Then it is up to you and the rule base how you authenticate against those domains. There would be no need to separate by PSN or anything. It is up to the network to utilize the PSNs as needed.

I guess in theory you could do something like:

PSN 1 and PSN 2 join AD domain 1

PSN 3 and PSN 4 join AD domain 2

but not sure why you would want to do that.

View solution in original post

Dustin Anderson · ‎06-29-2018

You can have multiple AD's on a cluster, but I don't think you can have a node do one AD and the second do the other since when they are clustered, only one is able to be configured and it duplicates it to both.

You may be able to do some of it through rules, but I haven't looked if you can call out the specific node in a rule.

paul · ‎06-29-2018

As Dustin said the ISE deployment can join multiple AD domains. Then it is up to you and the rule base how you authenticate against those domains. There would be no need to separate by PSN or anything. It is up to the network to utilize the PSNs as needed.

I guess in theory you could do something like:

PSN 1 and PSN 2 join AD domain 1

PSN 3 and PSN 4 join AD domain 2

but not sure why you would want to do that.

hslai · ‎06-29-2018

Adding to what Paul and Dustin said... which seems related to how it is done in ACS 5.x -- Joining ACS to Active Directory Domain

You can join the ACS nodes from same deployment to different AD domains. However, each node can be joined to a single AD domain. ...

ISE 1.3+ does not have this limitation.

If 2 AD means 2 AD domain controllers, then we may use Microsoft Active Directory Sites and Services to have PSNs use the domain controllers designated to the sites that have the subnets where PSNs residing in.