Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3908
Views
0
Helpful
3
Replies

Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

Go to solution
golly_wog
Level 1
Level 1

‎05-26-2011 07:41 AM - edited ‎03-10-2019 06:06 PM

Hi


I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.

Now.. this is the tricky part...

A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.

I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.

Can any expert please let me know if they think that this will be possible please??

Many thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎05-30-2011 10:37 PM

Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.

The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.

You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.

Thanks and I hope this helps!

Tarik Admani

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎05-30-2011 10:37 PM

Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.

The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.

You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.

Thanks and I hope this helps!

Tarik Admani

0 Helpful

Go to solution
golly_wog
Level 1
Level 1
In response to Tarik Admani

‎05-31-2011 12:52 PM

Cheers mate, that's good news.

I'm using 5.2.

Thanks again for that great info - using LDAP as the second AD is a cunning trick :-)

cheers

0 Helpful

Go to solution
MICHAEL MEACLE
Level 1
Level 1
In response to Tarik Admani

‎08-15-2011 02:29 AM

Can you please supply some more details on this at present I am unable to tie the machine auth to user auth in the second domain.  The error message 324423 - 'ACS has not been able to confirm prevous successful machine authentication for user in Active Directory'. I get this even though I am using 'identity store sequences' for the second domain - the second domain is done via LDAP even though the domain has a 2 way trust.  The enviornment is ACS 5.2 with 2 indepenent AD Domains in two separate forests (but with 2 way trust) using EAP-TLS.

0 Helpful
Customers Also Viewed These Support Documents