We are in planning stages of implementing a single NAC appliance at a new common location where users/desktops are members of two untrusted AD domains.
Someone suggested a Proxy-RADIUS 802.1x authentication solution. We are not sure how this will work with 802.1x and DHCP since the two AD domains are not trusted and invisible to each other...? There is no possibility of any trust relationship between the domains even a federated trust...
Does anyone have any suggestions or faced the same problem ?
Thank You in advance.
Since DHCP is also independent of domain, you just need to add NAC as an ip-helper, bootprelay, or as an additional DHCP server in your network configuration.
Matthew Thank You again,
One last question ? DHCP Microsoft server in the above common network with two domains, should not require any special configuration? IP helper can only point to one dhcp server per interface.
Common network model architects want only a single DHCP server for both domains that don't trust/see each other.
And you should be allowed to have more than one IP helper per address. this is how DHCP redundancy is performed, with multiple DHCP servers.
a single DHCP server is arguably a bad idea, as it is a single point of failure in your network. if your DHCP server goes down, no one will be able to receive an IP on joining/connecting. That said, 2 separate domains do not need separate DHCP servers, because IP space is independent of user auth domains.
Adding NAC as an additional DHCP server will just snoop and listen in on the requests to gain the MAC-to-IP binding as well as hostname and device profiling information. NAC will NOT respond and offer DHCP leases.