We;re deploying the ACS as the means for authenticating our wireless users. The users have different domain that they're authenticating against and I have specified these domains in the Windows Database config. Can anybody please tell me the process for the ACS to hand over the authentication request to the Domain Controller? - i.e. is the ACS configured to go to only one domain controller or multiple? Thanks
If the user supplied a domain in his username, ACS will try to authenticate the user on that domain and only that domain. The domain list does not make any difference here and its not even used.
If the user does not specify his domain, the documentation say search order is:
# the local domain controller
# trusted domains
First, it checks the local domain then the trusted domains. The trusted domains are
checked in a unpredicatable order because Windows takes care of it. This creates a problem
- if the same username exists in multiple domains, then Windows could end up trying the
wrong domain first and think a user has failed authentication. Unfortunately, Windows isn't smart enough to look for the username/password pair in all the trusted domains until it finds one that works. Instead, it gives up with "bad username/password" when it find the right username even though its not the right one. This is why the domain list feature was added. So, after Windows has had a go (and failed), if a domain list exists then ACS repeats the authentication at the domains in the list and in the order it specifies.
You can use this to get round the duplicate username problem because you can force ACS to always have a go in the "user" domains.
There seems to be some confusion as to whether you have to add all trusted domains to the
domain list - this is not the case. ACS will always try trusted domains if there is no
domain in the username. The domain list is only needed to get ACS to explicitly do an
authentication at certain domains and this is only needed if you have the duplicate
username problem. Otherwise, you are just lengthening the process - if an Auth fails
Thanks for your very thorough response. I just have a small follow-up question...In the Domain Config Window, under "Available Domains", I am only seeing some of the Domains, not all of them, that have a bi-directional trust with the local domain...Where is this info being fed from and what needs to be done so that all the Domains with the bi-directional trust are there?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...