Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
0
Helpful
3
Replies

Where do I place my Cisco ACS server

mayhem2022
Level 1
Level 1

‎02-06-2003 07:40 PM - edited ‎02-21-2020 10:05 AM

I am in the process of planning the implementation of Cisco ACS for purposes of authenticating remote users to two different Windows 2000 Active Directory domains. Both domains are on my inside network and are child domains in the same forest.

All remote users will be entering the network through a Cisco VPN 3015 concentrator. In addition, one of the internal domains will contain accounts for our network administrators responsible for supporting our Cisco equipment. We would also like to use ACS for AAA access for these administrators.

My question is where do I place this server in the network(domain)? Is it possible for the server to authenticate users to both domains?

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎02-09-2003 09:02 PM

You can place it anywhere on your inside network really. It's better to set up the server as a BDC, things just work better when authenticating to AD if the server ACS is sitting on is a DC, so place it anywhere you would normally place a BDC. Probably reasonably close to your 3015 would be a good idea, but it won't make much difference.

0 Helpful

mayhem2022
Level 1
Level 1
In response to gfullage

‎02-10-2003 08:46 AM

Thanks for the reply. The two domains on my internal network will logically segment external users from internal users. One caveat is that a few of the internal users will have remote access after hours. Given that its best to place the server on a DC, should I place it on the DC in the external domain or the internal? If I place it on a external DC, can it be used to authenticate user accounts on the internal domain when they come in remotely? What do I need to do if this is possible?

There are also internal users that will need to be authenticated prior to Telnet/SSH access to administer Cisco equipment while on-site. Should the server reside on a DC in the internal network or external?

thanks.

0 Helpful

a-alao
Level 1
Level 1
In response to mayhem2022

‎03-21-2003 03:07 AM

I don't know if you have made a decision about where to place your DC. I believe it is best pactice to keep any DC inside your network and at the very least on a DMZ if you have one. Keeping a DC on the outside will make the DC vulnerable.

0 Helpful
Customers Also Viewed These Support Documents