Showing results for 
Search instead for 
Did you mean: 

Cisco ISE - multiple AD - trust relationships


I have a customer who has multple AD forests and an ISE deployment running 1.1.3.

The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.

We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.

1.       Currently  – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest

     a.       The objective here is to use a feature called Selective Authentication  in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE

     b.      Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization

     c.       Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)

Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?


2.       We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest

     a.       Same objectives as in  1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)

          i.      External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication

          ii.      Internal Forest has incoming filter to deny access to all resources in External Forest

In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?

Thanks in advance for your replies.

Robert C.


Multiple AD functionality

Multiple AD functionality will be supported in ISE 1.3 release and it would be available in July 2013.


Cisco Employee

for cisco recommended method

for cisco recommended method of deployment with Multiple AD Domains check


This functionality will be

This functionality will be added in cisco ISE 1.3 expected to be release mid of September and yes two way trust in the interm solution


ISE 1.3 is availble now and

ISE 1.3 is availble now and its support multiple AD integration.


HI,Is there some


Is there some configuration step by step about multiple AD integration?. Is it necessary a trust relationship between the ADs?

Hall of Fame Guru

Cisco has published a nice

Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:

"Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."

I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.


Find the attachment  of step

Find the attachment  of step by step configuration of multiple AD integration with the ISE.



Have you tried this scenario

Have you tried this scenario in 1.3 yet? I notice you stated that one way trust seems to work in 1.1.3? Basically it would appear that a two way trust is still a requirement for multidomain forests in 1.3.

I am curious about why a two way trust is required to authenticate users in this type of setup. Not sure why an external one way trust wouldn't suffice. Does anyone have any experience with this in 1.3 as I am unable to join one of the required forests directly (due to internal policy) and the client is unwilling to configure a two way trust.