ACS SE - Multiple Windows AD Domains

Answered Question
Oct 16th, 2007

Can I use the ACS Network Device Groups to have a single ACS apliance acting as the authenticator for two Windows domains for 802.1x for a single switch?

Hope the question makes sense but to put a little more meat on the question:

i have a single ACS Appliance which I am trying to use for 802.1x authentication on a switch. The issue comes as I want to have the VLAN allocation part of the set-up allocated through the ACS server dependant on checking the users against a domain account but we have two domains with no trust between them. the ACS remote agent specifically states it should not be installed on servers in different domains and that the two available agents are for resiliance only, so this unfortunatley doesn't fit.

this is why i have ended up with looking at using multiple device groups.

anyone any ideas if this will work or if there is another way of making this work.

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 9 years 1 month ago

Hi,

ACS cannot "natively" authenticate to 2 different domains that don't have a trust relationship defined. If that is not possible then you need to have 2 ACS servers, one in each domain. Configure the "primary" ACS to proxy requests to the "secondary" server based on the provided domain.

This would require a second ACS server be set up (you would likely have to pay an additional fee for the second ACS server). You would want to configure a proxy distribution table . This would require user explicitly provide the domain name with their user name.

Regards,

~JG

Please rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Tue, 10/16/2007 - 05:28

Hi,

ACS cannot "natively" authenticate to 2 different domains that don't have a trust relationship defined. If that is not possible then you need to have 2 ACS servers, one in each domain. Configure the "primary" ACS to proxy requests to the "secondary" server based on the provided domain.

This would require a second ACS server be set up (you would likely have to pay an additional fee for the second ACS server). You would want to configure a proxy distribution table . This would require user explicitly provide the domain name with their user name.

Regards,

~JG

Please rate helpful posts

Dominic Stalder Thu, 11/12/2009 - 02:24

But this means that, for 2 domain and ACS redundancy, I would need 4 ACS appliances?

Because if one ACS goes down, the proxy function won't work anymore.

Actions

This Discussion