ASA and Multiple AD Domains

keith.brown · ‎10-13-2010

Hello,

I am having difficulties with configuring my ASA5510 to authenticate against two different Active Directory domains with LDAP for a Remote Access VPN. From what I can see, the authentication process goes as far as checking the first server, seeing that the user doesn't belong to that domain and then it bombs out.

I read some technote which specified that if the DC was set up as a Global Catalog that this would be a non-issue - sadly, this doesn't appear to be the case.

Can anyone shed any light on this?

Thanks

Keith

Herbert Baerten · ‎10-24-2010

Hi Keith

First of all the behavior you describe is correct and expected. If you configure 2 aaa servers (regardless of whether it's radius, ldap, etc.) then the ASA will consider them as having identical user DB's, and so will only use the 2nd when the 1st is unreachable.

So the solution would indeed consist of having a global catalog server (GCS) that can search both domains, and point the ASA to that server (or set of servers). The downside is that the global catalog server may not have information about local groups which may be needed for authorization and or DAP.

Having said that, there may be an alternative if you are using (or willing to change to) double authentication (i.e. certificate based authentication + username/password) or if you are ok to use certificate based authentication with LDAP authorization (i.e. only the cert is used to log in, the ldap attributes are only used to override settings in the group-policy).

In that case you can use tunnel group mapping (i.e. have certificates from one domain land on a certain group, and another domain on another group). Since each group has its own aaa-server config, you can point them to different ldap servers.

hth

Herbert