cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
5
Helpful
4
Replies
Highlighted
Cisco Employee

MS AD Multi-domain integration with SDA fabric

Hello,

 

I have a Customer that uses different PCs registered to different MS Active Directory domains (with no trust between each other) on the same LAN.

I know that ISE can connect up to 50 isolated MS AD domains, but I would like to confirm that this is correctly handled in SDA fabric and there are no caveats on this kind of config.

 

Thank you,

Luca

4 REPLIES 4
Highlighted
Cisco Employee

Hi Luca,

ISE can connect up to 50 isolated MS AD domain as you stated. You can as well refer to the link below.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

Thanks,
Hayford.
Highlighted

Thank you, haddo.

 

Is this completely transparent to SDA fabric and DNAC in the SGT policies and so on?

 

Cheers,

Luca

Highlighted

Not exactly sure what you mean by "transparent".  In general, authentication (via AD or any other identity source) is separate from policy.  You can however based SGT assignment based on which AD group the user is a member of.

HTH,

Fay-Ann

Highlighted

Adding to the convo:
In our SDA fabric with ISE/DNAC and the whole nine yards from the SDA solution perspective, we work with two separate domains with their own AD. I am assuming you are relying on AD sec groups and pushing authz policy + SGT that way. Your edge nodes will need to be aware of your CTS configs. From my experience there are no caveats here. You should be able to make your requirement work.
Content for Community-Ad