12-28-2016 07:23 AM - edited 02-21-2020 09:06 PM
Does anyone know if the ASA will support multiple domains with the AnyConnect client. We have been running our ASA for quite a while with a single domain but have acquired another company and appear to be having issues with remote users getting between the domains. I created a profile for users on the new domain when everything was single but now they are working to combine things and have users trying to access cross domain resources. The only domain spot I have seen so far is a default domain but it only allows a single domain.
Brent
12-28-2016 08:00 AM
The ASA will only supports a single domain (aaa server group technically) for a given connection profile.
You could create multiple profiles and have the end users select the one for their domain.
You could also use ISE which supports multiple domains just fine.
12-28-2016 08:29 AM
To add to what Marvin said, you can also configure Split DNS for a particular tunnel group/connection profile. This means that you can add multiple domains apart from your default domain to the split dns list so that the client can use those while querying for a name. There can only be one default domain but multiple split-dns domains. These domains are added under the DNS search suffixes once connected to VPN. If domain name resolution is what you are looking for, the Split dns should work for you. More info below:
12-28-2016 08:34 AM
You are referring to Authentication correct? I can see a single domain for that but I am referring to multiple-domains for DNS lookups. Sorry I may have not been clear on that. The users normally just connect to "server name" but are now saying they are having issues getting to "server name" when remotely connected and not on their default domain. I never really noticed what they get when connected as I did not setup what we have today. I am going to have to research more as I have all the domains listed when I do an ipconfig /all from my laptop. Maybe there is something profile specific that is not happening? I just did not know if there was something that needed to be checked in the DHCP pool or something. When I create the profiles I just use a single LDAP and specify a default domain. Do not think I have ever changed anything regarding DNS.
Brent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide