Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.4 with Different AD Domains

I have read the release notes and user guide for ACS 5.4 that mentions the capability to join the ACS nodes from same deployment to different AD domains.  But each node can be joined to a single AD domain.  My question is this ... in a failover situation what does this buy me?

Hypothetical:

I have two sites, each with an ACS and each one has its own AD domain.  The ACSs are deployed in a primary/secondary relationship, devices at site A use Site A's ACS as primary for authentication, devices at site B use Site B's ACS as the primary for authentication. 

Scenarios:

  1. If the Site A ACS fails the devices at Site A will attempt to go to the Site B ACS for authentication.  But if they are using different AD domains Site A users can't authenticate and would be denied access.  Correct?
  2. If a user from Site B tries to access a device at Site A, that device tries to authenticate the user using the Site A ACS.  Will this fail since the Site A ACS only references the Site A AD domain?

I'm missing what benefit I have deploying the two ACSs if they cannot both use or access users on both domains.  Maybe I'm not understanding something here.  Can anybody shed some light on this or point me to a document that might help?

Thanks ...

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ACS 5.4 with Different AD Domains

I second you on that fact, it's not very well documented. In almost every deployment,the role of the secondary sever (located at a different site) is to provide full redundancy in the event that the primary ACS server fails. 

In your case, if you've both the ACS are joined to two different domains like

Site A (ACS1- Primary) --- Domain A

Site B (ACS2- Secondary) --- Domain B

We've to make sure that Domain A trust Domain B and vice versa because if the secondary server is configured to receive replication from the primary that means the authorization rules will be same on both the ACS. Having Full 2-ways trust between both the domains would allows you to fetch groups of Domain B from ACS 1 and Groups of domain A from ACS 2.

The ONLY advantage of this feature will come in play during authentication. If  users of domain B are pointed to ACS2 for authentication, group  retrieval time would be lesser if its a direct domain instead of cross  domain.

The purpose of redundancy will fail where possibility of 2-way trust doesn't exist. It JUST won't fit right in such deployments.

Hope it adds little more clarification.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
3 REPLIES
Cisco Employee

ACS 5.4 with Different AD Domains

To authenticate the user in your given scenarios there must be two way trust relationship between AD then in case of failure user from site A can be authenticated by site B ACS.

Cisco Employee

ACS 5.4 with Different AD Domains

To authenticate the user in your given scenarios there must be two way  trust relationship between AD then in case of failure user from site A  can be authenticated by site B ACS.

Cisco Employee

ACS 5.4 with Different AD Domains

I second you on that fact, it's not very well documented. In almost every deployment,the role of the secondary sever (located at a different site) is to provide full redundancy in the event that the primary ACS server fails. 

In your case, if you've both the ACS are joined to two different domains like

Site A (ACS1- Primary) --- Domain A

Site B (ACS2- Secondary) --- Domain B

We've to make sure that Domain A trust Domain B and vice versa because if the secondary server is configured to receive replication from the primary that means the authorization rules will be same on both the ACS. Having Full 2-ways trust between both the domains would allows you to fetch groups of Domain B from ACS 1 and Groups of domain A from ACS 2.

The ONLY advantage of this feature will come in play during authentication. If  users of domain B are pointed to ACS2 for authentication, group  retrieval time would be lesser if its a direct domain instead of cross  domain.

The purpose of redundancy will fail where possibility of 2-way trust doesn't exist. It JUST won't fit right in such deployments.

Hope it adds little more clarification.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
472
Views
5
Helpful
3
Replies
CreatePlease to create content