01-28-2011 01:53 PM - edited 03-10-2019 05:46 PM
We are trying to set up ACS 5.2 in our multi-forest AD environment. As part of our evaluation we set up an Active Directory External Identity Store to a domain (a.b.edu). It connects properly and I can see the directory groups in the that tab when we Select. This domain (a.b.edu) has a two way trust with another domain in another forest (x.y.b.edu). However, I do not see the groups in that domain and I cannot seem to manually add those groups using the Add on the free text Group Name.
The documentation is not clear on this point: Page 8-41 and 8-42 of the "User Guide for the Cisco Secure Access Control System 5.2) says: "The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest." This implies to me that it cannot cross forests even though a trust is set up. This seems to be what is happening.
Has anyone had experience in setting up an AD trust (between domains in the same forest) and gotten that to work?
Has anyone had experience in setting up an AD trust (between domains in different forests) and gotten that to work? Is this supported? Unfortunately this is a bit of a deal breaker with use, so we are very interested in the answer.
06-17-2011 02:43 PM
We have just set this up at the begining of the week and have this working. We have x4 ACS 5.2 boxes (3 physical, 1 VM). All servers are in the same acs cluster and link to the one AD, Domain A. This AD is single forrest/single domain and has a 2 way trust to another AD single forrest/single domain.
Users in doamin A where ACS is linked authenticate with username and password. Users in Domain B authenicate with domain/username and password. Pointed ACS at Domain B to pull in the remote groups. Works great and we don't have to change anything when we migrate domain B into Domain A to complete the aquisition of Company B.
07-27-2011 01:24 PM
David:
I have a customer requesting the same scenario. My client purchased another company and they want to use ACS 5.2 for both forests. I understand most of your response, except for one small portion.
Users in doamin A where ACS is linked authenticate with username and password. Users in Domain B authenicate with domain/username and password. Pointed ACS at Domain B to pull in the remote groups. Works great and we don't have to change anything when we migrate domain B into Domain A to complete the aquisition of Company B.
Can you explain the highlighted text. If you have configured Domain A within the ACS application, to what additional action is your statement referring?
Thanks for the help
Message was edited by: Bob Nelson
07-27-2011 03:06 PM
Bob,
Sorry if this is not clear. The scenario that you have is exactly what we had, we aquired another company.
We have a 2 way trust relationshipd between Domain A and Domain B. On ACS, under Users and Identity Stores>External Identity Stores>Active Directory>General Tab we have configured the user account in Domain A used by ACS.
On the Directory Groups Tab we have specified the specific Groups from AD that we want to use:
Domain A/Users/Domain users
Domain A/Users/Domain admins
Domain A/groups/IT Support
Domain B/Users/ACS Admins
etc...
When a RADIUS Request is received the “User Auth” service is always used to process and authenticate the request. RADIUS requests not picked up by the “User Auth (Domain B)” AAA Service fall in to the “User Auth (Domain A)” service. Requests processed by this service are authenticated according to the database lookup sequence (local, AD); the lookup sequence halts as soon as the username matches a database entry. Assuming the correct password was supplied with the username, the ACS will respond with an access-accept message and the user will be granted access to the network. The same AAA User Authentication service is used for all authenticating users
Hope this helps
David
07-27-2011 03:19 PM
David:
This is now absolutely crystal clear. Thanks for taking time out of your day (evening) to respond. I can now report to my client that we have a solution with which to test the new domain.
Thanks again very much.
Bob
Robert Nelson
Senior Network Consultant
BT Business Solutions Group
Phoenix, AZ, USA
Mob: 1-480-353-8402
Email: robert.nelson@usc-bt.com
07-27-2011 03:26 PM
Glad to help.
Regards
David
Please rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide