08-22-2016 06:57 AM - edited 03-11-2019 12:01 AM
We would like to know what version of ACS and ISE can handle multiple domain?
08-22-2016 08:22 PM
ISE supports it as of version 1.4.
"Cisco ISE 1.4 supports Multi-Forest/Multi-Domain integration with Active Directory infrastructures to support authentication and attribute collection across large enterprise networks. Cisco ISE 1.4 supports up to 50 domain join points."
Source: http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/release_notes/ise14_rn.html#93607
I'm not as sure with ACS as most of my customers use ISE. I believe it can only join to a single domain but will transitively trust domains that the joined domain trusts (since ACS 5.8).
08-23-2016 06:38 PM
Prior to ISE 1.4, neither ISE nor ACS supported multiple domains.
Your only option was to join one domain via native AD connector, and another domain via LDAP.
We tried utilizing the domain trust between the two domains on ACS 5.x but couldn't get it to work...not sure if domain trust wasn't supported by ACS, or just user error on our part.
We didn't spend much time on it, and decided just to build two different ACS clusters behind ACE LB instead.
08-24-2016 01:15 PM
Multi domain is supported on ISE since ISE 1.3.
Prior to that and on ACS multi domain could only be supported by establishing trust connections
08-30-2016 10:52 AM
You can join ACS to different domains but the setup is a bit strange and definitely not as robust as ISE:
You can join the ACS nodes from same deployment to different AD domains. However, each node can be joined to a single AD domain. The policy definitions of those ACS nodes are not changed and that uses the same AD identity store.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide