Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1891
Views
0
Helpful
2
Replies

ACS 5.x - Configuring Multiple AD Domains for Authentication

Go to solution
j.t.faust
Level 1
Level 1

‎01-08-2013 02:24 PM - edited ‎03-10-2019 07:57 PM

Currently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. Any advice on how best to configure ACS connect to both domains? Anyone gone thru this already?

Ted          

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎01-08-2013 06:29 PM

Are you performing eap-tls for you clients or peap(mschapv2)? The reason I ask is that you can use eap-tls and configure the new domain as an ldap database and build a identity store sequence, if you are using peap(mschapv2) then you will have make sure you have the proper trust setup so the ACS can perform kerberos authentication (I think the trust type is known as "external").

Also one issue that you may run into, is if the usernames are going to be the same or not. If you plan on migrating users over, will the migration remove the old 'samaAccountNames" from the old database? The reason is that if a user authenticates with just their SAM i.e johndoe, then you run the risk of the same account being in two seperate domains with different levels of access.

Hopefully these links will get you going down the right path.

https://supportforums.cisco.com/thread/2162234

https://supportforums.cisco.com/thread/2064843

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎01-08-2013 06:29 PM

Are you performing eap-tls for you clients or peap(mschapv2)? The reason I ask is that you can use eap-tls and configure the new domain as an ldap database and build a identity store sequence, if you are using peap(mschapv2) then you will have make sure you have the proper trust setup so the ACS can perform kerberos authentication (I think the trust type is known as "external").

Also one issue that you may run into, is if the usernames are going to be the same or not. If you plan on migrating users over, will the migration remove the old 'samaAccountNames" from the old database? The reason is that if a user authenticates with just their SAM i.e johndoe, then you run the risk of the same account being in two seperate domains with different levels of access.

Hopefully these links will get you going down the right path.

https://supportforums.cisco.com/thread/2162234

https://supportforums.cisco.com/thread/2064843

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎01-12-2013 12:32 AM

To tell about my experience, we have a "child domain" that has different FQDN name than the main domain.

for example:

main domain: university.edu.ca

child domian: ourbranch.local

The ACS I use (5.3) was able to discover it but the external groups in the child domain did not appear in the list when I search the base DN for the main domain (DC=university,DC=edu,DC=ca). I had to search the base DN for the child domain and ACS could list the groups in the child domian (DC=ourbranche,DC=local)

I think if there is a trust between the two domains then that should be the case. Try that and see if that is possible or not.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents