Flexible SSID (Multiple Active Directory)

  • 0
  • 1
  • Question
  • Updated 4 years ago
Hi all,

Is it possible to have a single SSID for two separated Active Directory domains?

Our customer have two different domains, with separated ADs and different vlans.

Can we configure the Enterasys controller to use only one SSID and authenticate user on both domains and leading them to the correct VLAN for their domain?

Thanks and regards,

TA
Photo of Thiago Almeida

Thiago Almeida

  • 160 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,514 Points 20k badge 2x thumb
Are both domains accessible from the RADIUS server? 

Typically this can be done based on the NPS policy rule hit. Here is an example configuration for two different groups, one SSID...

http://youtu.be/F2psltLUA-c?list=PL0E4DD34E0CB786A5
Photo of Thiago Almeida

Thiago Almeida

  • 160 Points 100 badge 2x thumb
Hi Doug,

Thanks for your reply.

I watched your video but from what I understand is that the two groups are on the same AD database.

Can I do the same type of configuration but using two different ADs instead of groups?

Like CORP1.CORP domain on vlan 101 and CORP2.CORP domain on vlan 102 with ssid CORP.

When a user tries to connect to CORP ssid the RADIUS would check by its existence on both domains?

If its a CORP1.CORP domain user it would be assigned an IP on the vlan 101 subnet?

They need this because they bought another company and their merging offices but networks must remain logically independent, using same physical network components (switches, controllers, APs) bur different resources, services, servers.

Replying your answer, I do not know if its a VM so we can have the RADIUS on both VLANS, but if not, is it possible to use two different RADIUS to achieve this configuration? One on each domain/vlan? 

Thanks and regards,

TA
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Another idea would be to setup 2 RADIUS servers (one in every domain) and using RADIUS proxies rules to path RADIUS request for CORP1.CORP to the RADIUS server of domain CORP2.CORP and vice versa. Communication between the RADIUS servers must be possible.

To decide which requests should handeld locally and which passed to the other RADIUS server  You  must use usernames and realms (the idea is used by eduroam for world wide roaming between wireless infrastructures). This usernames look like an mail address for example user@corp1.com or user@corp2.com. Try searching for "configure NPS radius" to find some examples.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,514 Points 20k badge 2x thumb
The RADIUS server you point to from the controller has to be able to reach both AD servers for username/password validation. If the RADIUS server cannot reach both then this will not work (based on my knowledge).  
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
I agree Doug. A requirement for the RADIUS server is that both ADs are in the same forest. 
Photo of Thiago Almeida

Thiago Almeida

  • 160 Points 100 badge 2x thumb
Hi Harmut, 

The AD servers are independent from each other, they're not on the same forest.

We are talking about two different physical servers on different subnets.

I can't make the RADIUS server look for two independent AD servers?
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Is there a trust relationship between the domains? In that case it also be possible, but never tried it. For completely independent domains/ad servers my first idea is a solution.

Here is an example for configure NPS for eduroam use:

http://www.kennisnet.nl/fileadmin/contentelementen/kennisnet/Eduroam/Eduroam_in_a_Microsoft_Windows_...

You can adopt the idea for your use case.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,514 Points 20k badge 2x thumb
One other option is to use "Sites" mode for the network you inherited and keep everything local to just that site. The master AP at the site (no more than 32 access points per site) will send the RADIUS request to the RADIUS server that is local and accessible to that site.  
Photo of Thiago Almeida

Thiago Almeida

  • 160 Points 100 badge 2x thumb
Hi Doug and Harmuth,

Thank you both for your replies.

I think I will check the option that Doug gave me, a unique RADIUS polling both ADs.

Thanks and regards,

TA