https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39327#M2274 I'm glad that I could help You  Mon, 15 Jun 2015 10:53:00 GMT Piotr_Owczarek 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39316#M2263 We are using NAC Manager with policys to authentificate our Staff which ist coming wireless from a EWC ... <BR /> <BR /> The Authentification works with LDAP against the Domain. .... username\Domain <BR /> <BR /> Example : <A href="https://mailto:Hans.Mustermann@thhf.net" target="_blank" rel="nofollow noreferrer noopener">Hans.Mustermann@thhf.net</A><BR /> <BR /> Now we want to integrate also the students from our School into this ldap authentification,<BR /> <BR /> but they are located into an subdomain.<BR /> <BR /> Example : <A href="https://mailto:Franz.Mustermann@stud.thhf.net" target="_blank" rel="nofollow noreferrer noopener">Franz.Mustermann@stud.thhf.net</A><BR /> <BR /> Does this work with Nac Manger from Extreme ?? , we are using Netsight / NAC Manager 6.1.0<BR /> <BR /> The Nac Manager know the ldap Connection to the Primary Domain and is joined into this Domain, rather a Student send a logon request with his subdomain logon, the ldap should forward this to the subdomain DC ... i think this is more a Windows Problem.<BR /> <BR /> I only want to know if here is anybody who has already a working Environment with subdomains and LDAP Authentification.<BR /> <BR /> Regards <BR /> <BR /> Christian<BR /> <BR /> PS : Sorry for bad gramma .. non native english author<BR /> <BR /> Mon, 15 Jun 2015 10:44:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39316#M2263 info_systemhaus 2015-06-15T10:44:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39317#M2264 Should work. Configure advanced AAA rules : based on the username part (subdimain) use different aaa server/method = different LDAP server/settings. Good luck  Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39317#M2264 Zdeněk_Pala 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39318#M2265 Many THX ... but should work is not enough....  <BR /> <BR /> I want to find someone who has a working NAC Manager LDAP Integration with Sub Domains <BR /> <BR /> As you write .. different LDAP Server Settings .. should not work, because as far as i know .. the Nac Manager LDAP join the Domain and Need every time the connect to the Primary Domain .... <BR /> <BR /> Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39318#M2265 info_systemhaus 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39319#M2266 Hi Christian,<BR /> <BR /> I think the "Should work" of Pala goes more in the direction that you can't be 100% sure in IT <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /> <BR /> I deployed NAC in multi domain scenarios and you there you have different kind of deployments.<BR /> <BR /> If you are able to join the NAC into the different domains - all is fine. Eg. myDomain.comand stud.mydomain.com. But you need 2 LDAP Configurations. NAC gets Domain member of both domains.<BR /> <BR /> If you don't have the priveledge for the 2nd domain you've got a pretty good chance to fail even if the 2 domains have a full trust. In this scenario I would set up a pair of Windows NPS servers and use NAC for that domains as a radius proxy.<BR /> <BR /> Regards<BR /> Michael Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39319#M2266 Michael_Kirchne 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39320#M2267 <I><B>If you are able to join the NAC into the different domains - all is fine</B></I><BR /> <BR /> This will become the "Main Question" .. and it´s to be feared .. that this will not work.<BR /> <BR /> The solution with using an own NPS on Windows .. and bring the Auth- Traffic from the EWS direct to the DC of the subdomain, was our alternative Idea ... <BR /> <BR /> To manage all LDAP Configurations on the netsight console would be more smart .. but if it´s not possible, we will bring the Auth direct over NPS to the Servers .<BR /> <BR /> <I><BR /> </I><BR /> <BR /> Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39320#M2267 info_systemhaus 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39321#M2268 Hello Christian,<BR /> <BR /> I have such solution working. Two different domains, LDAP Advanced config and users belonging to different domains. <BR /> No problem at all.<BR /> You just need to construct reliable criteria for checking domain membership for user being authenticated, and that is all.<BR /> Piotr Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39321#M2268 Piotr_Owczarek 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39322#M2269 Hello Piotr,<BR /> <BR /> many thx .. you have configured the connection to 2 different LDAP Sources as i understand via the advancec AAA Config .... is this correct ? <BR /> <BR /> Could you post me an example how you can divide the users from different Domains ? <BR /> <BR /> Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39322#M2269 info_systemhaus 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39323#M2270 Hope that Attached pic will help You. If not do not hesitate to ask <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="b1b06c7cd073413f92e2cabe53c3d3b2_RackMultipart20150615-11317-1c74r4x-LDAP_inline.jpg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/17i1756C3F5EC95B504/image-size/large?v=v2&amp;px=999" role="button" title="b1b06c7cd073413f92e2cabe53c3d3b2_RackMultipart20150615-11317-1c74r4x-LDAP_inline.jpg" alt="b1b06c7cd073413f92e2cabe53c3d3b2_RackMultipart20150615-11317-1c74r4x-LDAP_inline.jpg" /></span></P> Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39323#M2270 Piotr_Owczarek 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39324#M2271 ok .. thx i will try this ..<BR /> <BR /> The Domain there is :<BR /> <BR /> <B>thhf.local</B> and the subdomain is ... <BR /> <BR /> <B>stud.thhf.local</B><BR /> <BR /> Actualy .. there is only * asterisk on the Place for User Match. and the users with ldap are loging through wireless Clients ... with thhf\username .<BR /> <BR /> So i only should separate the two ldap Connections with ...<BR /> <BR /> User Match : stud.thhf\*<BR /> <BR /> User Match : thhf\*<BR /> <BR /> I will try this into next days ... and will give a reply ..<BR /> <BR /> Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39324#M2271 info_systemhaus 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39325#M2272 It should work. You can check if the condition of domain name containing "stud" is met and then classify user to be authenticated by one LDAP server and if not classify by the second. Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39325#M2272 Piotr_Owczarek 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39326#M2273 Hello Piotr,<BR /> <BR /> many thx .. it works ..<BR /> <BR /> I have separated the Domains by the Logon Praefix ...an it works ..<BR /> <BR /> Screenshot for all others <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ... having the same Problem.<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="975feb16f2c34149b6fa6d642094e262_RackMultipart20150616-30865-19splu0-THH_Domain_2_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/705i312EB495E31EDA0F/image-size/large?v=v2&amp;px=999" role="button" title="975feb16f2c34149b6fa6d642094e262_RackMultipart20150616-30865-19splu0-THH_Domain_2_inline.png" alt="975feb16f2c34149b6fa6d642094e262_RackMultipart20150616-30865-19splu0-THH_Domain_2_inline.png" /></span></P> Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39326#M2273 info_systemhaus 2015-06-15T10:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39327#M2274 I'm glad that I could help You  Mon, 15 Jun 2015 10:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/nac-manager-ldap-integration-with-sub-domain/m-p/39327#M2274 Piotr_Owczarek 2015-06-15T10:53:00Z