topic Re: NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network) in ExtremeCloud IQ- Site Engine Management Center

NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network)

Sacha_Brys — Wed, 14 Jul 2021 18:43:41 GMT

I have a customer with two different domain names.

So they have a few domain controllers, each belonging to his domain.

I am setting up Extreme cloud IQ site engine with NAC

NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network).

Thanks in advance

greetz

Sacha

Re: NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network)

Stefan_K_ — Wed, 14 Jul 2021 19:04:17 GMT

In the AAA config you can define which LDAP-config should be used based on the username or hostname.
e.g.:
Domain1\* → use LDAP config “Domain1”
Domain2\* → use LDAP config “Domain2”

Do you also plan to do 802.1x authentication and have 2 PKIs in use?

Best regards
Stefan

Re: NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network)

Sacha_Brys — Wed, 14 Jul 2021 21:05:34 GMT

Thanks for your feedback Stefan.
I am planning 802.1x authentication, why should I need PKI’s?
Are you able to send me a screenshot where exactly to define the username or hostname please?
Cannot find it...

NAC does not need to have another interface in that other vlan, where the other Domain controller is in? I have to set this up by routing I assume then?

Re: NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network)

StephanH — Thu, 15 Jul 2021 02:43:31 GMT

Hello Sacha,

if you are using 802.1x with EAP-TLS, then the NAC can validate the certificates of the clients. Hence the question whether the certificates are created by one or two PKIs. With PEAP, however, client certificates are not necessary.

You do not need a second interface the LDAP and Radius communication is layer 3.

Below a picture of the AAA config. The users mentioned by Stefan are in column 2. In the picture you can see a * which matches every username.