Header Only - DO NOT REMOVE - Extreme Networks

NAC Manager LDAP Integration with Sub Domain


Userlevel 3
We are using NAC Manager with policys to authentificate our Staff which ist coming wireless from a EWC ...

The Authentification works with LDAP against the Domain. .... username\Domain

Example : Hans.Mustermann@thhf.net

Now we want to integrate also the students from our School into this ldap authentification,

but they are located into an subdomain.

Example : Franz.Mustermann@stud.thhf.net

Does this work with Nac Manger from Extreme ?? , we are using Netsight / NAC Manager 6.1.0

The Nac Manager know the ldap Connection to the Primary Domain and is joined into this Domain, rather a Student send a logon request with his subdomain logon, the ldap should forward this to the subdomain DC ... i think this is more a Windows Problem.

I only want to know if here is anybody who has already a working Environment with subdomains and LDAP Authentification.

Regards

Christian

PS : Sorry for bad gramma .. non native english author

11 replies

Userlevel 7
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck 🙂
Userlevel 3
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)Many THX ... but should work is not enough.... 🙂

I want to find someone who has a working NAC Manager LDAP Integration with Sub Domains

As you write .. different LDAP Server Settings .. should not work, because as far as i know .. the Nac Manager LDAP join the Domain and Need every time the connect to the Primary Domain ....
Userlevel 3
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)Hi Christian,

I think the "Should work" of Pala goes more in the direction that you can't be 100% sure in IT ;)

I deployed NAC in multi domain scenarios and you there you have different kind of deployments.

If you are able to join the NAC into the different domains - all is fine. Eg. myDomain.comand stud.mydomain.com. But you need 2 LDAP Configurations. NAC gets Domain member of both domains.

If you don't have the priveledge for the 2nd domain you've got a pretty good chance to fail even if the 2 domains have a full trust. In this scenario I would set up a pair of Windows NPS servers and use NAC for that domains as a radius proxy.

Regards
Michael
Userlevel 3
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)If you are able to join the NAC into the different domains - all is fine

This will become the "Main Question" .. and it´s to be feared .. that this will not work.

The solution with using an own NPS on Windows .. and bring the Auth- Traffic from the EWS direct to the DC of the subdomain, was our alternative Idea ...

To manage all LDAP Configurations on the netsight console would be more smart .. but if it´s not possible, we will bring the Auth direct over NPS to the Servers .


Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)Hello Christian,

I have such solution working. Two different domains, LDAP Advanced config and users belonging to different domains.
No problem at all.
You just need to construct reliable criteria for checking domain membership for user being authenticated, and that is all.
Piotr
Userlevel 3
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)Hello Piotr,

many thx .. you have configured the connection to 2 different LDAP Sources as i understand via the advancec AAA Config .... is this correct ?

Could you post me an example how you can divide the users from different Domains ?
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)Hope that Attached pic will help You. If not do not hesitate to ask 🙂

Userlevel 3
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)ok .. thx i will try this ..

The Domain there is :

thhf.local and the subdomain is ...

stud.thhf.local

Actualy .. there is only * asterisk on the Place for User Match. and the users with ldap are loging through wireless Clients ... with thhf\username .

So i only should separate the two ldap Connections with ...

User Match : stud.thhf\*

User Match : thhf\*

I will try this into next days ... and will give a reply ..
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)It should work. You can check if the condition of domain name containing "stud" is met and then classify user to be authenticated by one LDAP server and if not classify by the second.
Userlevel 3
Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)Hello Piotr,

many thx .. it works ..

I have separated the Domains by the Logon Praefix ...an it works ..

Screenshot for all others 🙂 ... having the same Problem.

Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck :)I'm glad that I could help You 🙂

Reply