Cisco Support Community
Community Member

ASA VPN multli-forest authentication

Hi we are moving users to a separate AD forest. The old and new are totally separate with a one way trust. The old AD forest trusting the new one.

we have an ASA (Version 8.6) device which we use for VPN access (along with the AnyConnect client). At the moment it's only setup to authenticate users from one forest (the old one)

we will be moving accounts in stages, so during the move, we will need users from both forests to authenticate. Would it be possible to set up the device to authenticate users from both forests (multi-forest)?

Community Member

I have this problem too.

I have this problem too.  Here is all I have found.

- solution 2 above works if all domains are in the same AD "forest". If not, you need one tunnel-group and one aaa-server-group per forest (and one or more GCS per forest/server-group).

Community Member

Hi E, thank you for you your

Hi E, thank you for you your quick reply. I just logged a change to add another server group.

I defined the new server group, added a server to it. I already had a tunnel group and ACL. The question is what do I have to do at the client side. How does ASA know which forest I'm coming from? How do I tell the tunnel group I'm coming from the new server group?

CreatePlease to create content