Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

LDAP connection for VPN authentication to 2 AD different child domains

Hi all

I have an issue, we have an ASA, this authenticates using LDAP to my local domain controller, this DC has users on it, we then ahev another DC on another site which is in a different domain.

however the users on both domains share the same Groups, but it wont authenticate the ones on the remote DC in another domain.

what can I do to achieve this?

could I create 2 LDAP connections on the firewall?

how have other people achieved this?

cheers

Carl

Everyone's tags (7)
1 REPLY
Cisco Employee

LDAP connection for VPN authentication to 2 AD different child d

Hi Carl,

I know of 2 different ways to achieve this:

1) create 2 aaa-server groups, one for each domain; then create 2 tunnel-groups, each one pointing to a different aaa-server group.

This means of course that the users will have to select the correct tunnel-group (either from a drop-down list, or by going to the right group-url). For Anyconnect users, you can optionally deploy a different profile (i.e. with a different group name) to both sets of users.

2) assuming the 2 domains are in the same AD Forest, configure one (or more) DC to be a GCS (Global Catalog Server) for the Forest. Then on the ASA you can use the GCS as LDAP server to do multi-domain lookups.

Downside of this approach is that GCS cannot handle password changes.

hth

Herbert

727
Views
0
Helpful
1
Replies
CreatePlease to create content