cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3896
Views
5
Helpful
5
Replies
Highlighted
Beginner

ACS 5.2 AD trust to other domains?

We are trying to set up ACS 5.2 in our multi-forest AD environment.  As part of our evaluation we set up an Active Directory External Identity Store to a domain (a.b.edu).  It connects properly and I can see the directory groups in the that tab when we Select.   This domain (a.b.edu) has a two way trust with another domain in another forest (x.y.b.edu).  However, I do not see the groups in that domain and I cannot seem to manually add those groups using the Add on the free text Group Name.

The documentation is not clear on this point:  Page 8-41 and 8-42 of the "User Guide for the Cisco Secure Access Control System 5.2) says:  "The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest." This implies to me that it cannot cross forests even though a trust is set up.  This seems to be what is happening.

Has anyone had experience in setting up an AD trust (between domains in the same forest) and gotten that to work?

Has anyone had experience in setting up an AD trust (between domains in different forests) and gotten that to work?  Is this supported?  Unfortunately this is a bit of a deal breaker with use, so we are very interested in the answer.

5 REPLIES 5
Highlighted
Beginner

We have just set this up at the begining of the week and have this working.  We have x4 ACS 5.2 boxes (3 physical, 1 VM).  All servers are in the same acs cluster and link to the one AD, Domain A.  This AD is single forrest/single domain and has a 2 way trust to another AD single forrest/single domain.

Users in doamin A where ACS is linked authenticate with username and password.  Users in Domain B authenicate with domain/username and password.  Pointed ACS at Domain B to pull in the remote groups.  Works great and we don't have to change anything when we migrate domain B into Domain A to complete the aquisition of Company B.

Highlighted

David:

I have a customer requesting the same scenario.  My client purchased another company and they want to use ACS 5.2 for both forests.  I understand most of your response, except for one small portion.

Users in doamin A where ACS is linked authenticate with username and password.  Users in Domain B authenicate with domain/username and password.  Pointed ACS at Domain B to pull in the remote groups.  Works great and we don't have to change anything when we migrate domain B into Domain A to complete the aquisition of Company B.

Can you explain the highlighted text.  If you have configured Domain A within the ACS application, to what additional action is your statement referring?

Thanks for the help

Message was edited by: Bob Nelson

Highlighted

Bob,

Sorry if this is not clear.  The scenario that you have is exactly what we had, we aquired another company.

We have a 2 way trust relationshipd between Domain A and Domain B.  On ACS, under Users and Identity Stores>External Identity Stores>Active Directory>General Tab we have configured the user account in Domain A used by ACS.

On the Directory Groups Tab we have specified the specific Groups from AD that we want to use:

Domain A/Users/Domain users

Domain A/Users/Domain admins

Domain A/groups/IT Support

Domain B/Users/ACS Admins

etc...

When a RADIUS Request is received the “User Auth” service is always used to process and authenticate the request.  RADIUS requests not picked up by the “User Auth (Domain B)” AAA Service fall in to the “User Auth (Domain A)” service. Requests processed by this service are authenticated according to the database lookup sequence (local, AD); the lookup sequence halts as soon as the username matches a database entry. Assuming the correct password was supplied with the username, the ACS will respond with an access-accept message and the user will be granted access to the network. The same AAA User Authentication service is used for all authenticating users

Hope this helps

David

Highlighted

David:

This is now absolutely crystal clear. Thanks for taking time out of your day (evening) to respond. I can now report to my client that we have a solution with which to test the new domain.

Thanks again very much.

Bob

Robert Nelson

Senior Network Consultant

BT Business Solutions Group

Phoenix, AZ, USA

Mob: 1-480-353-8402

Email: robert.nelson@usc-bt.com

Highlighted


Glad to help.

Regards

David

Please rate helpful posts

Content for Community-Ad