This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- Flexible SSID (Multiple Active Directory)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Flexible SSID (Multiple Active Directory)
Flexible SSID (Multiple Active Directory)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-03-2014 01:29 PM
Hi all,
Is it possible to have a single SSID for two separated Active Directory domains?
Our customer have two different domains, with separated ADs and different vlans.
Can we configure the Enterasys controller to use only one SSID and authenticate user on both domains and leading them to the correct VLAN for their domain?
Thanks and regards,
TA
Is it possible to have a single SSID for two separated Active Directory domains?
Our customer have two different domains, with separated ADs and different vlans.
Can we configure the Enterasys controller to use only one SSID and authenticate user on both domains and leading them to the correct VLAN for their domain?
Thanks and regards,
TA
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-03-2014 02:12 PM
I agree Doug. A requirement for the RADIUS server is that both ADs are in the same forest.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-03-2014 02:12 PM
The RADIUS server you point to from the controller has to be able to reach both AD servers for username/password validation. If the RADIUS server cannot reach both then this will not work (based on my knowledge).
Doug Hyde
Director, Technical Support / Extreme Networks
Director, Technical Support / Extreme Networks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-03-2014 02:11 PM
Another idea would be to setup 2 RADIUS servers (one in every domain) and using RADIUS proxies rules to path RADIUS request for CORP1.CORP to the RADIUS server of domain CORP2.CORP and vice versa. Communication between the RADIUS servers must be possible.
To decide which requests should handeld locally and which passed to the other RADIUS server You must use usernames and realms (the idea is used by eduroam for world wide roaming between wireless infrastructures). This usernames look like an mail address for example user@corp1.com or user@corp2.com. Try searching for "configure NPS radius" to find some examples.
To decide which requests should handeld locally and which passed to the other RADIUS server You must use usernames and realms (the idea is used by eduroam for world wide roaming between wireless infrastructures). This usernames look like an mail address for example user@corp1.com or user@corp2.com. Try searching for "configure NPS radius" to find some examples.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-03-2014 01:58 PM
Hi Doug,
Thanks for your reply.
I watched your video but from what I understand is that the two groups are on the same AD database.
Can I do the same type of configuration but using two different ADs instead of groups?
Like CORP1.CORP domain on vlan 101 and CORP2.CORP domain on vlan 102 with ssid CORP.
When a user tries to connect to CORP ssid the RADIUS would check by its existence on both domains?
If its a CORP1.CORP domain user it would be assigned an IP on the vlan 101 subnet?
They need this because they bought another company and their merging offices but networks must remain logically independent, using same physical network components (switches, controllers, APs) bur different resources, services, servers.
Replying your answer, I do not know if its a VM so we can have the RADIUS on both VLANS, but if not, is it possible to use two different RADIUS to achieve this configuration? One on each domain/vlan?
Thanks and regards,
TA
Thanks for your reply.
I watched your video but from what I understand is that the two groups are on the same AD database.
Can I do the same type of configuration but using two different ADs instead of groups?
Like CORP1.CORP domain on vlan 101 and CORP2.CORP domain on vlan 102 with ssid CORP.
When a user tries to connect to CORP ssid the RADIUS would check by its existence on both domains?
If its a CORP1.CORP domain user it would be assigned an IP on the vlan 101 subnet?
They need this because they bought another company and their merging offices but networks must remain logically independent, using same physical network components (switches, controllers, APs) bur different resources, services, servers.
Replying your answer, I do not know if its a VM so we can have the RADIUS on both VLANS, but if not, is it possible to use two different RADIUS to achieve this configuration? One on each domain/vlan?
Thanks and regards,
TA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-03-2014 01:42 PM
Are both domains accessible from the RADIUS server?
Typically this can be done based on the NPS policy rule hit. Here is an example configuration for two different groups, one SSID...
http://youtu.be/F2psltLUA-c?list=PL0E4DD34E0CB786A5
Typically this can be done based on the NPS policy rule hit. Here is an example configuration for two different groups, one SSID...
http://youtu.be/F2psltLUA-c?list=PL0E4DD34E0CB786A5
Doug Hyde
Director, Technical Support / Extreme Networks
Director, Technical Support / Extreme Networks
