Hello,
This article has some information that is helpful:
https://gtacknowledge.extremenetworks.com/articles/Q_A/Can-NetSight-Authenticate-a-User-Against-More...
Essentially there needs to be 2 main pieces in place.
1. 2 way, transitive trust between the domains needs to be in place.
2. The AAA needs to be configured in order to determine the correct domain controller to be used to authenticate the user.
EG:
If your two domains are Blue and Red:
AAA configuration should be setup as followings:
Blue/* ---> Points to LDAP configuration for Blue domain with AD user defaults
Red/* ---> Points to LDAP configuration for Red domain with AD user deafutls
host/*.red_domain ---> Points to LDAP configuration for red domain with AD machine auth defaults
host/*.blue_domain ---> Points to LDAP configuration for blue domain with AD machine auth defaults
This will work very well for domain owned machines, however non-domain machines, will require special handling. Any type of BYOD 802.1x authentication that exists users will have to know to prepend their username and manually identify their domain.
If they attempt to authenticate with just username will fall through the above rules engine and result in a "misconfigured" error.
Even if you have a "* Any Any" at the bottom of the LDAP configuration it can only point to one of the domains, so BYOD attempting to authenticate with just "username" will only work for whatever domain you chose for that line.
There is a feature you can use with registration that can allow users to register without the prepend, but it's not available for 802.1x.
Let me know if this helps.
Thanks
-Ryan
