Can I use the ACS Network Device Groups to have a single ACS apliance acting as the authenticator for two Windows domains for 802.1x for a single switch?
Hope the question makes sense but to put a little more meat on the question:
i have a single ACS Appliance which I am trying to use for 802.1x authentication on a switch. The issue comes as I want to have the VLAN allocation part of the set-up allocated through the ACS server dependant on checking the users against a domain account but we have two domains with no trust between them. the ACS remote agent specifically states it should not be installed on servers in different domains and that the two available agents are for resiliance only, so this unfortunatley doesn't fit.
this is why i have ended up with looking at using multiple device groups.
anyone any ideas if this will work or if there is another way of making this work.
ACS cannot "natively" authenticate to 2 different domains that don't have a trust relationship defined. If that is not possible then you need to have 2 ACS servers, one in each domain. Configure the "primary" ACS to proxy requests to the "secondary" server based on the provided domain.
This would require a second ACS server be set up (you would likely have to pay an additional fee for the second ACS server). You would want to configure a proxy distribution table . This would require user explicitly provide the domain name with their user name.
Please rate helpful posts