Cisco 5.3 Cluster - Domain Notation only Required when using Secondary ACS Server
Overview: Cisco 5.3 cluster, with primary server and secondary servers at separate datacenters. For remote vpn authentication through Cisco ASA, using radius authentication and Active Directory security groups.
The primary and secondary ACS servers are members (connected) to the root domain of our AD forest.
Issue: During testing, I am experiencing different results as it relates to the use of the requirement of domain notation during login. When testing against the primary acs server, I am able to pass authentication for users in the root domain and child domains with or without domain notation. When testing against the secondary ACS server, domain notation is required for child domains.
Since each server is running the same version, 188.8.131.52, and are connected to the same domain, which happens to the be the root domain of the forest, I would expect the same results from testing. I did confirm that they are synchronized properly.
- The forest name and root domain is X and the acs servers are members of x.
- Child domains are y and z
When I test authentication against the primary, I can login with a user from x,y, or z using domain notation (domain\username) or without domain notation (username)
When I test against the secondary ACS server, I can login using domain notation for x,y,z. But when I test with domain notation, it only works when the user is from the root domain X. So users from y and z must use domain notation.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :