Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
5
Helpful
5
Replies

ACS 5.8 admin authentication with multiple AD

Dorian
Level 1
Level 1

‎12-04-2018 08:41 AM

Hi,

 

We currently have an ACS in version 5.8 mapped to an Active Directory and used to authenticate the admins when they want to login to the Cisco switches/routers to manage them.

 

Admins will have new accounts for admin tasks but theses accounts will be in a different Active Directory.

 

I would like to know if it is possible to map the ACS with another Active Directory and still keep the first Active Directory mapping working ? So that everybody can still manage the equipments even if they don't have their new account.

I want authentication with admin accounts from the old Active Directory and the new one to work in parallel.

 

Thanks a lot.

 

Dorian

Labels:
0 Helpful
5 Replies 5

pieterh
VIP
VIP

‎12-05-2018 06:57 AM

the documentation is not very clear.

Note If multiple join operations are performed, multiple machine accounts are maintained inside ACS, one for each join operation.

 

(table 8-11) could mean you can join multiple AD,

or it could mean it does not detect "allready joined" and joins again with a new created machine account

 

this link says 5.3 cannot!

 

0 Helpful

pieterh
VIP
VIP
In response to pieterh

‎12-05-2018 07:00 AM - edited ‎12-05-2018 07:03 AM

found this:

Joining ACS to an AD Domain

You can join the ACS nodes from same deployment to different AD domains that has two way trust between each other. However, each node can be joined to a single AD domain. The policy definitions of those ACS nodes are not changed and that uses the same AD identity store.

 

indivudual nodes within a ACS deployment can join another domain within a trusted domain structure (AD).

so this comes down to NO you cannot really join multiple AD's

 

 

0 Helpful

Dorian
Level 1
Level 1
In response to pieterh

‎12-06-2018 01:23 AM

Hi,

 

thanks for your reply pieterh.

 

What about adding another LDAP in the External Identity Stores menu and then adding a rule in the Group Mapping of the current Access Services used for admin authentication to devices. The compound conditions of this new rule would match the new LDAP and be placed after the current rule that matches the current Active Directory.

 

Could that work ?

 

Thanks

 

Dorian

0 Helpful

pieterh
VIP
VIP
In response to Dorian

‎12-06-2018 03:30 AM

using LDAP would be no problem

 

Multiple LDAP Instances

You can create more than one LDAP instance in ACS 5.8. By creating more than one LDAP instance with different IP address or port settings, you can configure ACS to authenticate by using different LDAP servers or different databases on the same LDAP server.

Dorian
Level 1
Level 1
In response to pieterh

‎12-06-2018 05:31 AM

Ok thank you very much pieterh

0 Helpful
Customers Also Viewed These Support Documents