You can join ACS to different

John · ‎08-22-2016

We would like to know what version of ACS and ISE can handle multiple domain?

Marvin Rhoads · ‎08-22-2016

ISE supports it as of version 1.4.

"Cisco ISE 1.4 supports Multi-Forest/Multi-Domain integration with Active Directory infrastructures to support authentication and attribute collection across large enterprise networks. Cisco ISE 1.4 supports up to 50 domain join points."

Source: http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/release_notes/ise14_rn.html#93607

I'm not as sure with ACS as most of my customers use ISE. I believe it can only join to a single domain but will transitively trust domains that the joined domain trusts (since ACS 5.8).

CSCO10662744_2 · ‎08-23-2016

Prior to ISE 1.4, neither ISE nor ACS supported multiple domains.

Your only option was to join one domain via native AD connector, and another domain via LDAP.

We tried utilizing the domain trust between the two domains on ACS 5.x but couldn't get it to work...not sure if domain trust wasn't supported by ACS, or just user error on our part.

We didn't spend much time on it, and decided just to build two different ACS clusters behind ACE LB instead.

jrabinow · ‎08-24-2016

Multi domain is supported on ISE since ISE 1.3.

Prior to that and on ACS multi domain could only be supported by establishing trust connections

nspasov · ‎08-30-2016

You can join ACS to different domains but the setup is a bit strange and definitely not as robust as ISE:

You can join the ACS nodes from same deployment to different AD domains. However, each node can be joined to a single AD domain. The policy definitions of those ACS nodes are not changed and that uses the same AD identity store.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/ACS-ADIntegration/guide/Active_Directory_Integration_in_ACS_5-8.html

Thank you for rating helpful posts!

multiple domain in ACS and ISE