Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1671
Views
0
Helpful
1
Replies

ASA and Multiple AD Domains

keith.brown
Level 1
Level 1

‎10-13-2010 05:47 AM - edited ‎03-10-2019 05:29 PM

Hello,

I am having difficulties with configuring my ASA5510 to authenticate against two different Active Directory domains with LDAP for a Remote Access VPN. From what I can see, the authentication process goes as far as checking the first server, seeing that the user doesn't belong to that domain and then it bombs out.

I read some technote which specified that if the DC was set up as a Global Catalog that this would be a non-issue - sadly, this doesn't appear to be the case.

Can anyone shed any light on this?

Thanks


Keith

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎10-24-2010 02:14 PM

Hi Keith

First of all the behavior you describe is correct and expected. If you configure 2 aaa servers (regardless of whether it's radius, ldap, etc.) then the ASA will consider them as having identical user DB's, and so will only use the 2nd when the 1st is unreachable.

So the solution would indeed consist of having a global catalog server (GCS) that can search both domains, and point the ASA to that server (or set of servers). The downside is that the global catalog server may not have information  about local groups which may be needed for authorization and or DAP.

Having said that, there may be an alternative if you are using (or willing to change to) double authentication (i.e. certificate based authentication + username/password) or if you are ok to use certificate based authentication with LDAP authorization (i.e. only the cert is used to log in, the ldap attributes are only used to override settings in the group-policy).

In that case you can use tunnel group mapping (i.e. have certificates from one domain land on a certain group, and another domain on another group). Since each group has its own aaa-server config, you can point them to different ldap servers.

hth

Herbert

0 Helpful
Top