cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network)

NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network)

Sacha_Brys
Contributor

I have a customer with two different domain names.

So they have a few domain controllers, each belonging to his domain.

I am setting up Extreme cloud IQ site engine with NAC

NAC: 2 domains. What is best practice to be able to add a 2nd ldap connection to the other domain controller. (in another network).

Thanks in advance

greetz

Sacha

1 ACCEPTED SOLUTION

StephanH
Valued Contributor III

Hello Sacha,

if you are using 802.1x with EAP-TLS, then the NAC can validate the certificates of the clients. Hence the question whether the certificates are created by one or two PKIs. With PEAP, however, client certificates are not necessary.

You do not need a second interface the LDAP and Radius communication is layer 3.

Below a picture of the AAA config. The users mentioned by Stefan are in column 2. In the picture you can see a * which matches every username.

151d69b8ab9c408abd8d4c32973136a3_609d7756-0e66-400e-9c01-ba3827111634.png

 

Regards Stephan

View solution in original post

3 REPLIES 3

StephanH
Valued Contributor III

Hello Sacha,

if you are using 802.1x with EAP-TLS, then the NAC can validate the certificates of the clients. Hence the question whether the certificates are created by one or two PKIs. With PEAP, however, client certificates are not necessary.

You do not need a second interface the LDAP and Radius communication is layer 3.

Below a picture of the AAA config. The users mentioned by Stefan are in column 2. In the picture you can see a * which matches every username.

151d69b8ab9c408abd8d4c32973136a3_609d7756-0e66-400e-9c01-ba3827111634.png

 

Regards Stephan

Sacha_Brys
Contributor

Thanks for your feedback Stefan.
I am planning 802.1x authentication, why should I need PKIā€™s?
Are you able to send me a screenshot where exactly to define the username or hostname please?
Cannot find it...


NAC does not need to have another interface in that other vlan, where the other Domain controller is in?  I have to set this up by routing I assume then?

Stefan_K_
Valued Contributor

In the AAA config you can define which LDAP-config should be used based on the username or hostname.
e.g.:
Domain1\* ā†’ use LDAP config ā€œDomain1ā€
Domain2\* ā†’ use LDAP config ā€œDomain2ā€

Do you also plan to do 802.1x authentication and have 2 PKIs in use?

Best regards
Stefan

GTM-P2G8KFN