Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE and forest trusts vs domain trusts

Hi All,

Is there any issues with forest trusts with Cisco ISE ?

I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.

They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.

I can search and get lists of AD groups ok for the remote domain. 

Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.

I have done "leave" and "join" domain again.

In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?

Cheers

Peter. 

2 REPLIES
Cisco Employee

Cisco ISE and forest trusts vs domain trusts

As far as I know ISE supports kerberos trusts only. With the forest trusts only NTLM is supported, however, with an external trust you can use kerberos and that's what it looks for.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Cisco ISE and forest trusts vs domain trusts

440
Views
0
Helpful
2
Replies