cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

796
Views
0
Helpful
2
Replies
Highlighted
Beginner

ACS 5.2 Multiple Domain Prefix Searching

We have an ACS 5.2 server connected to an AD domain controller which has several trusted domains.  (domain1, domain2, domain3)  We currently have to specify which domain each user belongs to (ie, domain1\user) in order to connect.  We would like to only have to enter the user name without the prefix, (ie, user1) and have ACS automatically check each domain for a match.  Is this possible with ACS 5.2?  I seem to remember this was possible with ACS 4.2.

Thanks!

2 REPLIES 2
Highlighted
Advocate

I wanted to know what you were using this for? Dot1x or tacacs authentication, because if you are using the windows native supplicant for dot1x login it should automatically send the domain/username (from experience with xp clients). Let me know more about what you are trying to setup and we will see if we can help.

Thanks,

Tarik Admani

Highlighted

Old question, but it's the only topic I could find on the subject.  We have ACS 5.2 for wireless access control, AD identity store for a domain (DOMAIN1) also includes groups from a trusted domain (one-way trust, DOMAIN2).

Users in DOMAIN1 can authenticate using username only,  users in DOMAIN2 must login using DOMAIN2\username or else we get:

22056 Subject not found in the applicable identity store(s).

Users in DOMAIN2 are currently on their own ACS joined to DOMAIN2 but we'd like to move them to the new ACS and use the old as a backup runnning the same config.  Clients are currently configured to login using username only.  Several thousand clients, mixed environment with Windows, Apple iOS, OS/X, Android, Linux, so a lot of work if we have to reconfigure all of them manually.

Like wmblake's original question says, is there any way to make ACS search the DOMAIN2 groups if the search fails on DOMAIN1, even if the DOMAIN2 prefix is omitted?

Content for Community-Ad