Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
2
Replies

IPSec Remote Access VPN- multiple user logon domains

Go to solution
Scott Conklin
Level 1
Level 1

‎12-30-2014 12:39 PM - edited ‎02-21-2020 08:00 PM

Hi, we are currently migrating from an existing Active Directory domain to a new one.  We currently use the Cisco IPSec VPN client software (ASA5520, version 9.1) for users to log into VPN, and we have our existing domain controllers specified as the Radius servers for user authentication.

We need to migrate to a new domain within our organization, using different domain controllers.  How can I specify that users in the new domain be authenticated using one set of domain controllers, and users in the existing domain use another set of domain controllers?  Can this be set by creating a new group policy?  I didn't see anywhere to specify that.  We have to allow for user authentication in both domains during the transition process, this is going to be a gradual migration.

Thanks for the assistance. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-30-2014 02:45 PM

You'd have to create a new AAA server group pointing to servers in the new domain for authentication.

Then make a new connection profile that uses that AAA server group.

Your users would have to choose the connection profile (absent some more advanced tricks like issuing them user certificates that can be checked for attributes which map to one profile or another).

This could also be done with ISE 1.3 which can act as the RADIUS server and join to multiple AD domains on the backend as identity stores. (or even with ISE 1.2 if you use one of the AD directories as an LDAP store vs. native AD).

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-30-2014 02:45 PM

You'd have to create a new AAA server group pointing to servers in the new domain for authentication.

Then make a new connection profile that uses that AAA server group.

Your users would have to choose the connection profile (absent some more advanced tricks like issuing them user certificates that can be checked for attributes which map to one profile or another).

This could also be done with ISE 1.3 which can act as the RADIUS server and join to multiple AD domains on the backend as identity stores. (or even with ISE 1.2 if you use one of the AD directories as an LDAP store vs. native AD).

0 Helpful

Go to solution
Scott Conklin
Level 1
Level 1
In response to Marvin Rhoads

‎01-08-2015 05:52 AM

Thank you for your reply, Marvin.  I figured that I would need to specify the authentication server group, but I was looking for options under the group policy... I should have been looking under the tunnel group.  Your reply sparked me to look there.... Thanks!

0 Helpful
Customers Also Viewed These Support Documents