ISE connect with multiple SSL certificates

Pongsatorn Maneesud · ‎11-11-2012

Hi,

I have some new requirements as follows;

Active Directory Domain A with Certificate Authority A

Active Directory Domain B with Certificate Authority B

I would like to make sure that my understanding about this solution is correct.

Can I have ISE 1.1.2 join in to both domains ? No

Can I use AD connection with Domain A and LDAP connection with Domain B ? Yes

Does the user can be authenticated from these two domains ? May be yes, from AD and LDAP

Can I have ISE with include both root certificates of domain A and B ? Yes

Does ISE supports single name indication for SSL certificate ? No

With EAP-TLS, I have to choose only 1 domain for making EAP-TLS, right ? Yes but not sure

Regards,

PM

Saurav Lodh · ‎05-23-2014

https://supportforums.cisco.com/discussion/11883331/ise-multiple-ad

abwahid · ‎05-30-2014

ISE release 1.1.2 does not support Multiple AD

This feature is avialable in ISE 1.3 release.

and go through below link for query about Authenticating to Multiple AD Domains

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf

Jatin Katyal · ‎05-30-2014

You can have ise join to one domain (domain A - local domain ) and can authenticate users from another domain (domain B - remote domain) without using LDAP instance. All you need 2-way trust relationship between domain A and B.

ISE supports multidomain forests. ISE connects to a single domain, but can access resources from the other domains in the Active Directory forest if trust relationships are established between the domain to which ISE is connected and the other domains.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/user_guide/ise11_user_guide/ise_man_id_stores.html#wp1059011

This way users from both the domains can authenticate.

Regards,

Jatin Katyal

**Do rate helpful posts**

~Jatin