07-14-2021 11:43 AM
I have a customer with two different domain names.
So they have a few domain controllers, each belonging to his domain.
I am setting up Extreme cloud IQ site engine with NAC
NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network).
Thanks in advance
greetz
Sacha
Solved! Go to Solution.
07-14-2021 07:43 PM
Hello Sacha,
if you are using 802.1x with EAP-TLS, then the NAC can validate the certificates of the clients. Hence the question whether the certificates are created by one or two PKIs. With PEAP, however, client certificates are not necessary.
You do not need a second interface the LDAP and Radius communication is layer 3.
Below a picture of the AAA config. The users mentioned by Stefan are in column 2. In the picture you can see a * which matches every username.
07-14-2021 07:43 PM
Hello Sacha,
if you are using 802.1x with EAP-TLS, then the NAC can validate the certificates of the clients. Hence the question whether the certificates are created by one or two PKIs. With PEAP, however, client certificates are not necessary.
You do not need a second interface the LDAP and Radius communication is layer 3.
Below a picture of the AAA config. The users mentioned by Stefan are in column 2. In the picture you can see a * which matches every username.
07-14-2021 02:05 PM
Thanks for your feedback Stefan.
I am planning 802.1x authentication, why should I need PKI’s?
Are you able to send me a screenshot where exactly to define the username or hostname please?
Cannot find it...
NAC does not need to have another interface in that other vlan, where the other Domain controller is in? I have to set this up by routing I assume then?
07-14-2021 12:04 PM
In the AAA config you can define which LDAP-config should be used based on the username or hostname.
e.g.:
Domain1\* → use LDAP config “Domain1”
Domain2\* → use LDAP config “Domain2”
Do you also plan to do 802.1x authentication and have 2 PKIs in use?
Best regards
Stefan