ACS using AD and LDAP

CClement · ‎12-30-2017

I'm trying to configure ACS for use across 2 domains (let's say "business.com" is one and "company.com" is the others) for logging into network devices and POTENTIALLY wireless, and need a bit of help/suggestions regarding configuration.

I know that using a trust relationship, I could just set up one of the servers as the main external AD identity store in ACS, and have it reach out to the other domain when a user from that segment is trying to login. However after speaking with my superior he does not want to establish a trust relationship across domains, which leads me to my main question: would I be able to set up one of external identity stores for AD, and have the other domain be configured as an LDAP external identity store? I know you can configure a primary and secondary LDAP server, but given that one of the domains has 2 controllers, I'd like to avoid doing that. I'm mostly just wondering if this type of configuration is even possible, or do I have to choose between an AD based or LDAP based ACS identity store configuration? Are there any pitfalls or caveats with this type of potential config?

Like stated above this is currently for network device login only, and may have wireless on-boarded at a later date. That part is yet to be determined.

Mohammed al Baqari · ‎12-31-2017

Unless I am missing something you can add multiple external identity stores
and use UPN for authentication.

Francesco Molino · ‎01-01-2018

Hi

You can join every node to different AD but 1 node can join only 1 AD.
Then on terms of identity store, ACS can have different identity stores like AD and LDAP and Local.
Then you have to create an identity store sequence in which your AD and LDAP will be member of.

To answer your question in a simple way, yes you can combine both authentication server.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question