MS AD Multi-domain integration with SDA fabric

lulironi · ‎11-07-2019

Hello,

I have a Customer that uses different PCs registered to different MS Active Directory domains (with no trust between each other) on the same LAN.

I know that ISE can connect up to 50 isolated MS AD domains, but I would like to confirm that this is correctly handled in SDA fabric and there are no caveats on this kind of config.

Thank you,

Luca

haddo · ‎11-07-2019

Hi Luca,

ISE can connect up to 50 isolated MS AD domain as you stated. You can as well refer to the link below.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

Thanks,
Hayford.

lulironi · ‎11-08-2019

Thank you, haddo.

Is this completely transparent to SDA fabric and DNAC in the SGT policies and so on?

Cheers,

Luca

faylee · ‎11-08-2019

Not exactly sure what you mean by "transparent". In general, authentication (via AD or any other identity source) is separate from policy. You can however based SGT assignment based on which AD group the user is a member of.

HTH,

Fay-Ann

Mike.Cifelli · ‎11-08-2019

Adding to the convo:
In our SDA fabric with ISE/DNAC and the whole nine yards from the SDA solution perspective, we work with two separate domains with their own AD. I am assuming you are relying on AD sec groups and pushing authz policy + SGT that way. Your edge nodes will need to be aware of your CTS configs. From my experience there are no caveats here. You should be able to make your requirement work.