https://community.cisco.com/t5/network-access-control/acs-using-ad-and-ldap/m-p/3304286#M546800 Unless I am missing something you can add multiple external identity stores<BR />and use UPN for authentication.<BR /> Sun, 31 Dec 2017 08:13:48 GMT Mohammed al Baqari 2017-12-31T08:13:48Z https://community.cisco.com/t5/network-access-control/acs-using-ad-and-ldap/m-p/3304274#M546799 <P>I'm trying to configure ACS for use across 2 domains (let's say "business.com" is one and "company.com" is the others) for logging into network devices and POTENTIALLY wireless, and need a bit of help/suggestions regarding configuration.</P> <P>&nbsp;</P> <P>I know that using a trust relationship, I could just set up one of the servers as the main external AD identity store in ACS, and have it reach out to the other domain when a user from that segment is trying to login. However after speaking with my superior he does not want to establish a trust relationship across domains, which leads me to my main question: would I be able to set up one of external identity stores for AD, and have the other domain be configured as an LDAP external identity store? I know you can configure a primary and secondary LDAP server, but given that one of the domains has 2 controllers, I'd like to avoid doing that. I'm mostly just wondering if this type of configuration is even possible, or do I have to choose between an AD based or LDAP based ACS identity store configuration? Are there any pitfalls or caveats with this type of potential config?</P> <P>&nbsp;</P> <P>Like stated above this is currently for network device login only, and may have wireless on-boarded at a later date. That part is yet to be determined.</P> Fri, 21 Feb 2020 18:42:45 GMT https://community.cisco.com/t5/network-access-control/acs-using-ad-and-ldap/m-p/3304274#M546799 CClement 2020-02-21T18:42:45Z https://community.cisco.com/t5/network-access-control/acs-using-ad-and-ldap/m-p/3304286#M546800 Unless I am missing something you can add multiple external identity stores<BR />and use UPN for authentication.<BR /> Sun, 31 Dec 2017 08:13:48 GMT https://community.cisco.com/t5/network-access-control/acs-using-ad-and-ldap/m-p/3304286#M546800 Mohammed al Baqari 2017-12-31T08:13:48Z https://community.cisco.com/t5/network-access-control/acs-using-ad-and-ldap/m-p/3304570#M546802 Hi<BR /><BR />You can join every node to different AD but 1 node can join only 1 AD.<BR />Then on terms of identity store, ACS can have different identity stores like AD and LDAP and Local.<BR />Then you have to create an identity store sequence in which your AD and LDAP will be member of.<BR /><BR />To answer your question in a simple way, yes you can combine both authentication server.<BR /> Tue, 02 Jan 2018 00:11:15 GMT https://community.cisco.com/t5/network-access-control/acs-using-ad-and-ldap/m-p/3304570#M546802 Francesco Molino 2018-01-02T00:11:15Z