04-28-2011 08:57 AM - edited 03-10-2019 06:02 PM
Ok here is my crazy question for the day but I am not sure the best way to ask it. I am a complete newbie on the ACS but have gotten AAA working on my test switch. Woo Hoo ..
I have two different domains in my AD forest. Lets say 123.mycompany.com and abc.mycompany.com.
I have ACS working with 123.mycompany.com but need to check users in abc.mycompany.com. Should that be possible? I did not know if instead of using 123.mycompanycom for the active directory name that things would work if I used mycompany.com instead. So far I have not see a way to specifiy more than one AD External Identity Store, at least through the GUI. I also did not know if I could use boolean type expressions when I develop the policies.
Am I asking too much? Will I need two ACS servers instead of one? Should I scrap ACS and go a different route? I was figuring to start with Tacacs+ and dot1-x authentication for a start then use the radius function for other items (maybe VPN) after that.
Brent
04-28-2011 07:58 PM
Hello,
You have to have a bi directional trust relationship between both donains that is the only way around.
If you are unable to do I suggest to use ldap for one domain and AD for the other one.
If you have any question feel free to contact me.
Regards
Erick Delgado
Cisco CSE
Sent from Cisco Technical Support iPhone App
04-18-2012 03:01 AM
Hi Erik,
Even I have a similar problem at one of our customer. Is there any document available detailing about how this can be achieved?
Any help is much appreciated.
Many Thanks.
Girish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide