Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
5
Helpful
3
Replies

ACS 5.4 with Different AD Domains

Go to solution
cbradt
Level 1
Level 1

‎08-16-2013 08:58 AM - edited ‎03-10-2019 08:47 PM

I have read the release notes and user guide for ACS 5.4 that mentions the capability to join the ACS nodes from same deployment to different AD domains.  But each node can be joined to a single AD domain.  My question is this ... in a failover situation what does this buy me?

Hypothetical:

I have two sites, each with an ACS and each one has its own AD domain.  The ACSs are deployed in a primary/secondary relationship, devices at site A use Site A's ACS as primary for authentication, devices at site B use Site B's ACS as the primary for authentication. 

Scenarios:

  1. If the Site A ACS fails the devices at Site A will attempt to go to the Site B ACS for authentication.  But if they are using different AD domains Site A users can't authenticate and would be denied access.  Correct?
  2. If a user from Site B tries to access a device at Site A, that device tries to authenticate the user using the Site A ACS.  Will this fail since the Site A ACS only references the Site A AD domain?

I'm missing what benefit I have deploying the two ACSs if they cannot both use or access users on both domains.  Maybe I'm not understanding something here.  Can anybody shed some light on this or point me to a document that might help?

Thanks ...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎09-19-2013 10:13 PM

I second you on that fact, it's not very well documented. In almost every deployment,the role of the secondary sever (located at a different site) is to provide full redundancy in the event that the primary ACS server fails. 

In your case, if you've both the ACS are joined to two different domains like

Site A (ACS1- Primary) --- Domain A

Site B (ACS2- Secondary) --- Domain B

We've to make sure that Domain A trust Domain B and vice versa because if the secondary server is configured to receive replication from the primary that means the authorization rules will be same on both the ACS. Having Full 2-ways trust between both the domains would allows you to fetch groups of Domain B from ACS 1 and Groups of domain A from ACS 2.

The ONLY advantage of this feature will come in play during authentication. If  users of domain B are pointed to ACS2 for authentication, group  retrieval time would be lesser if its a direct domain instead of cross  domain.

The purpose of redundancy will fail where possibility of 2-way trust doesn't exist. It JUST won't fit right in such deployments.

Hope it adds little more clarification.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

3 Replies 3

Go to solution
Ravi Singh
Level 7
Level 7

‎08-27-2013 07:36 PM

To authenticate the user in your given scenarios there must be two way trust relationship between AD then in case of failure user from site A can be authenticated by site B ACS.

0 Helpful

Go to solution
Ravi Singh
Level 7
Level 7

‎09-19-2013 09:17 PM

To authenticate the user in your given scenarios there must be two way  trust relationship between AD then in case of failure user from site A  can be authenticated by site B ACS.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎09-19-2013 10:13 PM

I second you on that fact, it's not very well documented. In almost every deployment,the role of the secondary sever (located at a different site) is to provide full redundancy in the event that the primary ACS server fails. 

In your case, if you've both the ACS are joined to two different domains like

Site A (ACS1- Primary) --- Domain A

Site B (ACS2- Secondary) --- Domain B

We've to make sure that Domain A trust Domain B and vice versa because if the secondary server is configured to receive replication from the primary that means the authorization rules will be same on both the ACS. Having Full 2-ways trust between both the domains would allows you to fetch groups of Domain B from ACS 1 and Groups of domain A from ACS 2.

The ONLY advantage of this feature will come in play during authentication. If  users of domain B are pointed to ACS2 for authentication, group  retrieval time would be lesser if its a direct domain instead of cross  domain.

The purpose of redundancy will fail where possibility of 2-way trust doesn't exist. It JUST won't fit right in such deployments.

Hope it adds little more clarification.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Customers Also Viewed These Support Documents