RA-VPN LDAP Authentication - Two different Microsoft Domains

esperanza.gonzalez · ‎07-07-2009

Hello,

Is it possible to have two different AD for two different Windows Domains for the same IPSec connection profile? I have tested having both ADs in one AAA server group, but if the user is not found in the first server, it stops searching. Is there another way to accomplish this?

Thank you

srue · ‎07-07-2009

assign them to different tunnel-groups?

esperanza.gonzalez · ‎07-07-2009

I missed this part in my question :) We are in the middle of a Windows Domain migration and I would like, if possible, not to touch Cisco VPN client configuration already in use, so the ideal solution would be maintaining the same tunnel-group and do the changes needed just in the ASA configuration. Any idea???

srue · ‎07-08-2009

this sounds like it might be more of a question for AD experts. can you do a mass export/import of users from the old domain to the new domain to minimize your migration time? i mean, really, you just need to recreate each user and group in the new domain, right? or is this a case of merging with another company where you can't follow the same AD structure as before?

esperanza.gonzalez · ‎07-09-2009

I'm afraid migration time will be months because there are several new enviroments involved. Anyway, I just wanted to make this Remote Access as easy as possible, but I guess I will have to duplicate every tunnel group to change the LDAP server asked and change it in the vpn client.

Thanks anyway.