ACS machine authenication multiple Active Directory environment

andreawilliams · ‎05-18-2010

Working with implementing EAP-TLS in an environment where we have two completely separate Microsoft Active Directory's (different forests, non-trusted). Each AD has its own certificate authority. We want out Cisco Secure ACS 3.2X server to be able to do machine authentication for both domains.

Is it possible to have the ACS authenticate clients with certificates from various ADs/CAs?

Thanks!

andreawilliams · ‎05-24-2010

Ok so we set up a generic LDAP query second domain's active directory domain controller utilizing credentials that are domain admin on that domain and imported this domain's certificate authority's root certificate into the certificate authority trust list in ACS. Everything I see says this should work but we get the error on the client side that the client does not trust the certificate.

Any ideas?

andypalfrey · ‎05-24-2010

Andrea,

I assume you are seeing this on clients in the AD domain other than the one of the CA that issued the ACS's certficate?

That being the case, you need to export out the Root CA cert from your ACS servers domain and import that to the Trusted Root Certification Authorities store on your client machines in the other domain (you can distribute this cert via group policy), then configure the supplicant (I assume you are using a native windows supplicant?) to trust that CA in the Validate Server Certificate oiption on Authentication tab in the Network Connection properties.

Regards

Andy