12-04-2018 08:41 AM
Hi,
We currently have an ACS in version 5.8 mapped to an Active Directory and used to authenticate the admins when they want to login to the Cisco switches/routers to manage them.
Admins will have new accounts for admin tasks but theses accounts will be in a different Active Directory.
I would like to know if it is possible to map the ACS with another Active Directory and still keep the first Active Directory mapping working ? So that everybody can still manage the equipments even if they don't have their new account.
I want authentication with admin accounts from the old Active Directory and the new one to work in parallel.
Thanks a lot.
Dorian
12-05-2018 06:57 AM
the documentation is not very clear.
Note If multiple join operations are performed, multiple machine accounts are maintained inside ACS, one for each join operation.
(table 8-11) could mean you can join multiple AD,
or it could mean it does not detect "allready joined" and joins again with a new created machine account
this link says 5.3 cannot!
12-05-2018 07:00 AM - edited 12-05-2018 07:03 AM
found this:
You can join the ACS nodes from same deployment to different AD domains that has two way trust between each other. However, each node can be joined to a single AD domain. The policy definitions of those ACS nodes are not changed and that uses the same AD identity store.
indivudual nodes within a ACS deployment can join another domain within a trusted domain structure (AD).
so this comes down to NO you cannot really join multiple AD's
12-06-2018 01:23 AM
Hi,
thanks for your reply pieterh.
What about adding another LDAP in the External Identity Stores menu and then adding a rule in the Group Mapping of the current Access Services used for admin authentication to devices. The compound conditions of this new rule would match the new LDAP and be placed after the current rule that matches the current Active Directory.
Could that work ?
Thanks
Dorian
12-06-2018 03:30 AM
using LDAP would be no problem
You can create more than one LDAP instance in ACS 5.8. By creating more than one LDAP instance with different IP address or port settings, you can configure ACS to authenticate by using different LDAP servers or different databases on the same LDAP server.
12-06-2018 05:31 AM
Ok thank you very much pieterh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide