cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1552
Views
0
Helpful
3
Replies
Highlighted
Beginner

Cisco Secure ACS 4.2 Windows user authentication from different domain

Hello

I have a Cisco Secure ACS 4.2 Server for Windows. The server belongs to a domain and users belonging to a determinate group are authenticated against the domain.

Now I must change the server configuration and reassign it to a different domain. There's no trust relationship between both domains and I would like to know if users can still be authenticated  against the previous domain.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello,

First of all, take backup (as a precaution to be able to restore config if something goes wrong) then proceed witht the following:

- Remove the windows domain configuration (group mapping...etc) from the server before changing the domain.

- Change the domain membership then reboot.

- follow the post-installatino tasks for ACS (check this link): http://tiny.cc/zr6huw.

- Configure the external database again on the ACS (group mapping, unknown user policy..etc).

You need to notice also that if the new domain controller is Windows Server 2008 R2, that is not supported in ACS 4.x.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

3 REPLIES 3
Highlighted

Hello,

If there is no trust relationship then you'll not be able to authenticate.

After changing the domain you need to go to the external user DB and change the configuration (curernt domain, group mapping...etc).
The authentication for the previous domain will no longer be valid.

So, if you want both domains to work you have to have a trust relationship between both domains.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
Highlighted

Hello

I don't need to authenticate users against the old domain.

I just need to move the server to a new domain but keep authenticating the users as I used to do?

Is it possible?

Thank you

Highlighted

Hello,

First of all, take backup (as a precaution to be able to restore config if something goes wrong) then proceed witht the following:

- Remove the windows domain configuration (group mapping...etc) from the server before changing the domain.

- Change the domain membership then reboot.

- follow the post-installatino tasks for ACS (check this link): http://tiny.cc/zr6huw.

- Configure the external database again on the ACS (group mapping, unknown user policy..etc).

You need to notice also that if the new domain controller is Windows Server 2008 R2, that is not supported in ACS 4.x.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Content for Community-Ad