Authenticating against two AD domains using the NAC

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
We are migrating from one AD domain to another.  Both domains trust each other.  We use the NAC to authenticate wireless users in our original domain and that all works good.  However, we would like to add authentication to the new domain simultaneously so that users from either domain can authenticate.  I've seen this question asked a couple times previously with no clear answer.  Any ideas on how this can be done?
Photo of Scott Van Artsdalen

Scott Van Artsdalen

  • 344 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
Hello,

This article has some information that is helpful: 
https://gtacknowledge.extremenetworks.com/articles/Q_A/Can-NetSight-Authenticate-a-User-Against-More...

Essentially there needs to be 2 main pieces in place. 

1. 2 way, transitive trust between the domains needs to be in place. 

2. The AAA needs to be configured in order to determine the correct domain controller to be used to authenticate the user. 

EG: 

If your two domains are Blue and Red: 

AAA configuration should be setup as followings: 

Blue/* ---> Points to LDAP configuration for Blue domain with AD user defaults
Red/* ---> Points to LDAP configuration for Red domain with AD user deafutls
host/*.red_domain ---> Points to LDAP configuration for red domain with AD machine auth defaults
host/*.blue_domain ---> Points to LDAP configuration for blue domain with AD machine auth defaults

This will work very well for domain owned machines, however non-domain machines, will require special handling. Any type of BYOD 802.1x authentication that exists users will have to know to prepend their username and manually identify their domain. 

If they attempt to authenticate with just username will fall through the above rules engine and result in a "misconfigured" error. 

Even if you have a "* Any Any" at the bottom of the LDAP configuration it can only point to one of the domains, so BYOD attempting to authenticate with just "username" will only work for whatever domain you chose for that line. 

There is a feature you can use with registration that can allow users to register without the prepend, but it's not available for 802.1x. 

Let me know if this helps.

Thanks
-Ryan