NAC authenticating to two isolated/untrusted domains (Proxy-RADIUS)?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered

Hello,


 We are in planning stages of implementing a single  NAC appliance at a new common location where users/desktops are members of two untrusted AD domains.

Someone suggested a Proxy-RADIUS 802.1x authentication solution. We are not sure how this will work with 802.1x and DHCP since the two AD domains are not trusted and invisible to each other...? There is no possibility of any trust relationship between the domains even a federated trust...

Microsoft NAP?

Does anyone have any suggestions or faced the same problem ?


Thank You in advance.

Photo of Thomas Pasim

Thomas Pasim

  • 102 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
Proxy-RADIUS means that the NAC gateway will not be in any domain and RADIUS is domain independent. You would set up a RADIUS server such as Microsoft NPS in each domain, and then NAC would parse the RADIUS requests and then forward the request to the appropriate domain. This allows the requests to be answered separately by each domain and no trust is necessary.

Since DHCP is also independent of domain, you just need to add NAC as an ip-helper, bootprelay, or as an additional DHCP server in your network configuration.
Photo of Thomas Pasim

Thomas Pasim

  • 102 Points 100 badge 2x thumb

Matthew, Thank You

we will surely test this in the lab.

The two domains in question are Win2003 and Win 2008. NPS is not supported in 2003..Would this be a roadblock?

Thank You again

Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
In Windows 2003 the RADIUS server is called IAS (Internet Authentication Server). in Windows 2008, IAS got rolled into the Remote Access server and they renamed it all Network Policy Server (NPS).
Photo of Thomas Pasim

Thomas Pasim

  • 102 Points 100 badge 2x thumb

Matthew Thank You again,

One last question ? DHCP Microsoft server in the above common network with two domains, should not require any special configuration? IP helper can only point to one dhcp server per interface.

Common network model architects want only a single DHCP server for both domains that don't trust/see each other.

Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
you shouldn't need to change anything on your DHCP server.
And you should be allowed to have more than one IP helper per address. this is how DHCP redundancy is performed, with multiple DHCP servers.
a single DHCP server is arguably a bad idea, as it is a single point of failure in your network. if your DHCP server goes down, no one will be able to receive an IP on joining/connecting. That said, 2 separate domains do not need separate DHCP servers, because IP space is independent of user auth domains.

Adding NAC as an additional DHCP server will just snoop and listen in on the requests to gain the MAC-to-IP binding as well as hostname and device profiling information. NAC will NOT respond and offer DHCP leases.
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
You can also handle this based on the domain with the users are trying to logon, You have to define access to both domain controllers as Radius server and the make rule matrix entries where you are asking for the domain of the user, for example if the username contains "@extremenetworks.com" sent this requests to Radius server 1 if the username contains "@test.com" sent the requests to radius server 2. I have implemented such a solution once at one customer. 
Photo of Thomas Pasim

Thomas Pasim

  • 102 Points 100 badge 2x thumb

Adam,

Thank You, Currently I am testing the dual untrusted domain with 802.1x Auth. type and Auth. method LDAP. So the correct way is to change the Method from LDAP to Proxy RADIUS?