I have a customer who has multple AD forests and an ISE deployment running 1.1.3.
The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.
We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.
1. Currently – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest
a. The objective here is to use a feature called Selective Authentication in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE
b. Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization
c. Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)
Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?
2. We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest
a. Same objectives as in 1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)
i. External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication
ii. Internal Forest has incoming filter to deny access to all resources in External Forest
In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?
Thanks in advance for your replies.
for cisco recommended method of deployment with Multiple AD Domains check
Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:
"Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."
I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.
Have you tried this scenario in 1.3 yet? I notice you stated that one way trust seems to work in 1.1.3? Basically it would appear that a two way trust is still a requirement for multidomain forests in 1.3.
I am curious about why a two way trust is required to authenticate users in this type of setup. Not sure why an external one way trust wouldn't suffice. Does anyone have any experience with this in 1.3 as I am unable to join one of the required forests directly (due to internal policy) and the client is unwilling to configure a two way trust.