Cisco ACS for multiple AD domains

Unanswered Question
Jun 10th, 2009
User Badges:

Hello All -


Is there a way for Cisco ACS v 4.1 to authenticate users in different AD domains without having a trust relationship between the different domains?


Any help will be appreciated!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 06/10/2009 - 10:36
User Badges:
  • Purple, 4500 points or more

Yes, just configure as normal and add each domain.

ksarin123_2 Wed, 06/10/2009 - 10:46
User Badges:

Thanks for your prompt response.


Can you elaborate on what you mean by "just configure as normal and add each domain".


When I go under External User Databases->Database Group Mappings -> Windows Database -> New configuration, I don't see all the domains listed. The only domain listed is the one where ACS is installed.


I can manually specify the other domain name, but will that really work? How will the ACS server know how to reach the other domains with which it does not have a trust relationship?


Thanks!

Collin Clark Wed, 06/10/2009 - 11:33
User Badges:
  • Purple, 4500 points or more

After some digging, apparently we have trusts between the domains. We can just see and add them. According to the documentation, only the domain in which ACS is a member of can authenticate users. Indirect trusts will work, remote agent if you're using the appliance, or LDAP which has some limitations.

Jagdeep Gambhir Wed, 06/10/2009 - 14:09
User Badges:
  • Red, 2250 points or more

Hi,

We would require two way external/transitive

trust between the two domains.


There are 2 ways to work around our problem:

1. Install another ACS at the remote site/domain and forward all the

requests for the users of remote domain to that ACS.


2. Configure partner domain as LDAP on the ACS (at corp site), this

should not require domain trust. The only problem we will have certain

authentication methods will not be supported when using ldap.


Here is the complete list of stuff which is supported with LDAP:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server​_for_windows/4.1/user/Overvw.html#wp824733​


Hope that helps!


Regards,

~JG


Do rate helpful posts


Actions

This Discussion