Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
0
Helpful
1
Replies

LDAP connection for VPN authentication to 2 AD different child domains

carl_townshend
Spotlight
Spotlight

‎08-16-2012 05:10 AM

Hi all

I have an issue, we have an ASA, this authenticates using LDAP to my local domain controller, this DC has users on it, we then ahev another DC on another site which is in a different domain.

however the users on both domains share the same Groups, but it wont authenticate the ones on the remote DC in another domain.

what can I do to achieve this?

could I create 2 LDAP connections on the firewall?

how have other people achieved this?

cheers

Carl

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎08-31-2012 04:26 AM

Hi Carl,

I know of 2 different ways to achieve this:

1) create 2 aaa-server groups, one for each domain; then create 2 tunnel-groups, each one pointing to a different aaa-server group.

This means of course that the users will have to select the correct tunnel-group (either from a drop-down list, or by going to the right group-url). For Anyconnect users, you can optionally deploy a different profile (i.e. with a different group name) to both sets of users.

2) assuming the 2 domains are in the same AD Forest, configure one (or more) DC to be a GCS (Global Catalog Server) for the Forest. Then on the ASA you can use the GCS as LDAP server to do multi-domain lookups.

Downside of this approach is that GCS cannot handle password changes.

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents