Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
973
Views
0
Helpful
4
Replies

Second Realm creation in SMA/WSA for a separate AD forest authentication

KEYURPATEL4854
Level 1
Level 1

‎07-17-2019 10:51 PM

Hi,

 

We wanted to configure the second realm in our proxy to authenticate users from a different domain(separate AD forest). Can you please provide the necessary information and help to configure the same?

 

Keyur 

Labels:
0 Helpful
4 Replies 4

sadik.sener1
Level 1
Level 1

‎07-18-2019 06:12 AM

Hi Keyur,

 

Are you asking about how to create second realm or how to make use of it?

 

The tricky part is making use of it.

In your identification profile, you should make use of the more specific realm, for specific networks. 

You need to define specific networks authenticated by the realm. And the rest will be authenticated by the second realm. 

 

So , you first need your scope of which subnet should be authenticated against which realm.

 

Hope that helps.

 

Kind regards

Sadik

0 Helpful

KEYURPATEL4854
Level 1
Level 1
In response to sadik.sener1

‎07-18-2019 10:20 PM

Hi Sadik, Thank for your kind reply. but here we wanted to create second realm for separate AD forest on the same WSA. so it is possible or not? Regards, Keyur Patel.
0 Helpful

sadik.sener1
Level 1
Level 1
In response to KEYURPATEL4854

‎07-18-2019 11:33 PM

Hi Keyur,

It is possible.

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html#con_1334317

  • Create as few Active Directory realms as is practical. Multiple Active Directory realms require additional memory usage for authentication.

So your key point will still be to create a matrix , which subnets will be authenticated against which realms. 
If you're expecting WSA to query both realms and find the user belongs to which one, its not gonna work.

You should point WSA which domain to check.

 

Hope this helps

Sadik

0 Helpful

KEYURPATEL4854
Level 1
Level 1
In response to sadik.sener1

‎07-19-2019 01:58 AM

Hi Sadik,

We have a scenario like employees of two different companies(ex. company A and Company B) that are on the same premises and on the same subnet. Realm for company A was already created on WSA and it was working fine. Now we have to create the second realm for Company B employees on the same WSA. But the problem is the AD's of both companies are in a different forest. so it is possible? if yes please suggests the steps for doing the same. 

 

Regards,

 

Keyur

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents