Guest

Preview Tool

Cisco Bug: CSCum37159 - ACS does not do Cross Domain Group searching in AD Environment

Last Modified

Nov 25, 2016

Products (1)

  • Cisco Secure Access Control Server Solution Engine

Known Affected Releases

5.3(0.8)

Description (partial)

Symptom:
AD environment configured in a way where there are several domains and all domains have two way trust between one another.

 USER 1 configured in Domain B but  a group created only in Domain A (which is the primary domain). 

The User is in Domain B and the group is in Domain A.

Would like for ACS to be able to do Cross domain group mapping.

ACS pulls the the GUID for a specific user in AD and that contains the tokenGroup attribute/list.

That list is comprised of only the groups in that domain (in this example Domain B).  Therefore the tokenGroup list from Domain B is not going to contain Domain A groups.

Conditions:
5.3.0.40.8, VM, 2 servers in Distributed deployment.

AD set up with multiple Domains all with two way trust.

Domain A in AD set up as primary domain with groups configured while Domain B is set up with users in that group. 

Have the users in Domain B be added to the Groups in Domain A.

Have Authorization Polices set up to match users in Domain B but with Groups in Domain A.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.