05-20-2010 02:05 AM
Hi,
Is it possible to tied multiple varied AD domains ( like abc.com, ab.com) within single ssl vpn box setup.
this is using an ASA 5540 with Version 8.0(4).
Thanks in advance!
Solved! Go to Solution.
05-21-2010 01:17 PM
See the following:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.
shtml
*Perform Multi-Domain Searches (Optional) *
*Optional.* The ASA currently does not support the LDAP referal
mechanism for multi-domain searches (Cisco bug ID CSCsj32153).
Multi-domain searches are supported with the AD in Global Catalog Server
mode. In order to perform multi-domain searches, setup up the AD server
for Global Catalog Server mode, usually with the these key parameters
for the LDAP server entry in the ASA. The key is to use an
ldap-name-attribute that must be unique across the directory tree.
server-port 3268
ldap-scope subtree
ldap-naming-attribute userPrincipalName
If global catalog server is not an option for you, you can always create two seperate SSL tunnel-groups and two seperate LDAP aaa-server groups and this would also allow you to do two AD domains (but the drawback is that you would have to inform the user which group they should select)
-heather
05-21-2010 01:17 PM
See the following:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.
shtml
*Perform Multi-Domain Searches (Optional) *
*Optional.* The ASA currently does not support the LDAP referal
mechanism for multi-domain searches (Cisco bug ID CSCsj32153).
Multi-domain searches are supported with the AD in Global Catalog Server
mode. In order to perform multi-domain searches, setup up the AD server
for Global Catalog Server mode, usually with the these key parameters
for the LDAP server entry in the ASA. The key is to use an
ldap-name-attribute that must be unique across the directory tree.
server-port 3268
ldap-scope subtree
ldap-naming-attribute userPrincipalName
If global catalog server is not an option for you, you can always create two seperate SSL tunnel-groups and two seperate LDAP aaa-server groups and this would also allow you to do two AD domains (but the drawback is that you would have to inform the user which group they should select)
-heather
05-25-2010 04:13 PM
P.S. If I have answered your question please mark the post as resolved and rate the responses. This helps us more easily identify which questions remain unanswered and let us know how we are doing. Thanks in advance!
05-27-2010 10:10 PM
Yes, you did answer question very precisely. Thanks a lot for helping out.
Apologies for not rating/marking the answer earlier, as i didnt had web access for a few days!
Thanks a lot!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: