We are a sort of service provider network for schools, and use a Cisco ACS and its internal user database to authenticate users onto the remote access VPN which we provide. Every school we support has a separate Windows domain.
We would like to be able to use the ACS to connect to the different school ADs to be able to allow them to authenticate using their local network credentials.
Can this be done, and if so is there a specific software version of the Cisco ACS that is required? We are currently running 3.3 and I don't seem to be able to find a way of making this work.
Thanks, Tom
The install guide for ACS 3.3 (see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/installation/guide/windows/install.html#wp981552) briefly mentions trusted domains, as does the end-user documentation (http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/d.html#wp353805). I suppose you could create one-way trust relationships with each of the schools Active Directory infrastructures to facilitate doing this via AD.
The negative thing about doing this with an AD trust relationship is that you're going to need name resolution for the schools' domain controller computers. You might be able to use the "Generic LDAP" user database functionality and get by with using IP addresses of their Active Directory domain controllers in lieu of using the underlying plumbing in Windows to handle doing the authentication against their AD databases.
Finally, it looks like an ACS 3.3 install can use another RADIUS server for token-based authentication. I'd try that with a standard RADIUS server (w/o actually using tokens) and see if you can get ACS to authenticate to another RADIUS server. If you can, you could ask the schools to run a RADIUS server (like Microsoft IAS) and expose only that to you. That would make both of you as de-coupled as possible while still accomplishing what you want. It's a long shot, but it might work.
I'd probably pursue the generic LDAP route first (http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/d.html#wp354503).