Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
2
Replies

ISE 3.xx Integration with Multiple AD with Multiple Forest

Go to solution
kyawkyawnaing
Level 1
Level 1

‎08-22-2023 06:38 AM - edited ‎08-22-2023 07:30 AM

Dear Experts,

I have a query pertaining to the integration of Cisco ISE and Microsoft Active Directory (AD). Our client operates four domains within four separate forests within the same environment, making trust relationships between them possible. Companies A (ShareService - companya.com), Company B (companyb.com), Company C (companyc.com), and Company D (companyd.com) are isolated from one another. Company A is able to establish trust relationships with the other companies, whereas Companies B, C, and D do not.

My questions are the following:

1. Is it possible for a single instance of Cisco ISE to integrate with multiple domains across different forests? In other words, can companya.com, companyb.com, companyc.com, and companyd.com all connect to Cisco ISE to import AD security groups from their respective AD Servers? The reference documentation "Prerequisites for Integrating Active Directory and Cisco ISE" appears to support this for version 2.0. However, I am unable to locate equivalent information for ISE 3.0.

2. If multiple domain integration across different forests is not supported, what alternative solutions are available? I would greatly appreciate your professional insights and recommendations on this matter.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.html

Thank you for your assistance.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-22-2023 04:01 PM

ISE supports up to 50 Active Directory Join Points.

We call them join points because you may join forests, domains, and even skip levels of directories if necessary to work around AD bloat and mismanagement.

To find Prerequisites for Integrating Active Directory and Cisco ISE for ISE 3.3 (our latest version), I did an explicit internet search on ise 3.3 "Prerequisites for Integrating Active Directory and Cisco ISE" and followed the #1 hit for Cisco Identity Services Engine Administrator Guide, Release 3.3 then searched the page with my browser for the word "prerequisite".

Yes, it's supported.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-22-2023 04:01 PM

ISE supports up to 50 Active Directory Join Points.

We call them join points because you may join forests, domains, and even skip levels of directories if necessary to work around AD bloat and mismanagement.

To find Prerequisites for Integrating Active Directory and Cisco ISE for ISE 3.3 (our latest version), I did an explicit internet search on ise 3.3 "Prerequisites for Integrating Active Directory and Cisco ISE" and followed the #1 hit for Cisco Identity Services Engine Administrator Guide, Release 3.3 then searched the page with my browser for the word "prerequisite".

Yes, it's supported.

0 Helpful
Customers Also Viewed These Support Documents