Cisco Support Community
Community Member

ACS machine authenication multiple Active Directory environment

Working with implementing EAP-TLS in an environment where we have two completely separate Microsoft Active Directory's (different forests, non-trusted).  Each AD has its own certificate authority.  We want out Cisco Secure ACS 3.2X server to be able to do machine authentication for both domains.

Is it possible to have the ACS authenticate clients with certificates from various ADs/CAs?


Everyone's tags (5)
Community Member

Re: ACS machine authenication multiple Active Directory environm

Ok so we set up a generic LDAP query second domain's active directory domain controller utilizing credentials that are domain admin on that domain and imported this domain's certificate authority's root certificate into the certificate authority trust list in ACS.  Everything I see says this should work but we get the error on the client side that the client does not trust the certificate.

Any ideas?

Community Member

Re: ACS machine authenication multiple Active Directory environm


I assume you are seeing this on clients in the AD domain other than the one of the CA that issued the ACS's certficate?

That being the case, you need to export out the Root CA cert from your ACS servers domain and import that to the Trusted Root Certification Authorities store on your client machines in the other domain (you can distribute this cert via group policy), then configure the supplicant (I assume you are using a native windows supplicant?) to trust that CA in the Validate Server Certificate oiption on Authentication tab in the  Network  Connection properties.



CreatePlease to create content