ExtremeCloud IQ- Site Engine & Extreme Management Center

 View Only
  • 1.  Authenticating against two AD domains using the NAC

    Posted 07-21-2017 13:16
    We are migrating from one AD domain to another. Both domains trust each other. We use the NAC to authenticate wireless users in our original domain and that all works good. However, we would like to add authentication to the new domain simultaneously so that users from either domain can authenticate. I've seen this question asked a couple times previously with no clear answer. Any ideas on how this can be done?

  • 2.  RE: Authenticating against two AD domains using the NAC

    Posted 07-22-2017 14:53

    This article has some information that is helpful:

    Essentially there needs to be 2 main pieces in place.

    1. 2 way, transitive trust between the domains needs to be in place.

    2. The AAA needs to be configured in order to determine the correct domain controller to be used to authenticate the user.


    If your two domains are Blue and Red:

    AAA configuration should be setup as followings:

    Blue/* ---> Points to LDAP configuration for Blue domain with AD user defaults
    Red/* ---> Points to LDAP configuration for Red domain with AD user deafutls
    host/*.red_domain ---> Points to LDAP configuration for red domain with AD machine auth defaults
    host/*.blue_domain ---> Points to LDAP configuration for blue domain with AD machine auth defaults

    This will work very well for domain owned machines, however non-domain machines, will require special handling. Any type of BYOD 802.1x authentication that exists users will have to know to prepend their username and manually identify their domain.

    If they attempt to authenticate with just username will fall through the above rules engine and result in a "misconfigured" error.

    Even if you have a "* Any Any" at the bottom of the LDAP configuration it can only point to one of the domains, so BYOD attempting to authenticate with just "username" will only work for whatever domain you chose for that line.

    There is a feature you can use with registration that can allow users to register without the prepend, but it's not available for 802.1x.

    Let me know if this helps.