05-24-2011 01:51 PM - edited 03-10-2019 06:06 PM
We have an ACS 5.2 server connected to an AD domain controller which has several trusted domains. (domain1, domain2, domain3) We currently have to specify which domain each user belongs to (ie, domain1\user) in order to connect. We would like to only have to enter the user name without the prefix, (ie, user1) and have ACS automatically check each domain for a match. Is this possible with ACS 5.2? I seem to remember this was possible with ACS 4.2.
Thanks!
05-30-2011 10:47 PM
I wanted to know what you were using this for? Dot1x or tacacs authentication, because if you are using the windows native supplicant for dot1x login it should automatically send the domain/username (from experience with xp clients). Let me know more about what you are trying to setup and we will see if we can help.
Thanks,
Tarik Admani
10-20-2011 04:49 PM
Old question, but it's the only topic I could find on the subject. We have ACS 5.2 for wireless access control, AD identity store for a domain (DOMAIN1) also includes groups from a trusted domain (one-way trust, DOMAIN2).
Users in DOMAIN1 can authenticate using username only, users in DOMAIN2 must login using DOMAIN2\username or else we get:
22056 Subject not found in the applicable identity store(s).
Users in DOMAIN2 are currently on their own ACS joined to DOMAIN2 but we'd like to move them to the new ACS and use the old as a backup runnning the same config. Clients are currently configured to login using username only. Several thousand clients, mixed environment with Windows, Apple iOS, OS/X, Android, Linux, so a lot of work if we have to reconfigure all of them manually.
Like wmblake's original question says, is there any way to make ACS search the DOMAIN2 groups if the search fails on DOMAIN1, even if the DOMAIN2 prefix is omitted?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: