Hello Steve,
Related to the behavior you are facing with ACS to be able to authenticate users against the foreign domain is totally expected and you will only be able to authenticate by entering username and domain name.
The only option to join the ACS to a foreign domain is by configuring LDAP and that way you will be able to join the ACS directly with that domain, however, there are several limitations on the protocols supported when using LDAP as you can see on the following link, so you might want to see if it would be an available option for you or not depending on which protocol you are using ( which I assume it is PEAP/MSchapv2 as you mentioned that users have to enter credentials, so it that is the case it will not work for you ):
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/eap_pap_phase.html#pgfId-1014889
Extracted from link:
Table B-4 Non-EAP Authentication Protocol and User Database Compatibility
| | | |
|---|
ACS | Yes | Yes | Yes |
Windows AD | Yes | Yes | No |
LDAP | Yes | No | No |
RSA Identity Store | Yes | No | No |
RADIUS Identity Store | Yes | No | No |
Table B-5 specifies EAP authentication protocol support.
Table B-5 EAP Authentication Protocol and User Database Compatibility
| | | | | | | |
|---|
ACS | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Windows AD | No | Yes | Yes | Yes | Yes | Yes | Yes |
LDAP | No | Yes | Yes | No | No | Yes | Yes |
RSA Identity Store | No | No | No | No | No | Yes | Yes |
RADIUS Identity Store | No | No | No | No | No | Yes | Yes |
Note: Please mark it as answered if applicable.
