Extreme Networks

Thomas_Pasim · ‎02-04-2016

Hello,

We are in planning stages of implementing a single NAC appliance at a new common location where users/desktops are members of two untrusted AD domains.

Someone suggested a Proxy-RADIUS 802.1x authentication solution. We are not sure how this will work with 802.1x and DHCP since the two AD domains are not trusted and invisible to each other...? There is no possibility of any trust relationship between the domains even a federated trust...

Microsoft NAP?

Does anyone have any suggestions or faced the same problem ?

Thank You in advance.

Matthew_Hum1 · ‎02-05-2016

In Windows 2003 the RADIUS server is called IAS (Internet Authentication Server). in Windows 2008, IAS got rolled into the Remote Access server and they renamed it all Network Policy Server (NPS).

Thomas_Pasim · ‎02-05-2016

Matthew, Thank You

we will surely test this in the lab.

The two domains in question are Win2003 and Win 2008. NPS is not supported in 2003..Would this be a roadblock?

Thank You again

Matthew_Hum1 · ‎02-05-2016

Proxy-RADIUS means that the NAC gateway will not be in any domain and RADIUS is domain independent. You would set up a RADIUS server such as Microsoft NPS in each domain, and then NAC would parse the RADIUS requests and then forward the request to the appropriate domain. This allows the requests to be answered separately by each domain and no trust is necessary. Since DHCP is also independent of domain, you just need to add NAC as an ip-helper, bootprelay, or as an additional DHCP server in your network configuration.

Extreme Networks

NAC authenticating to two isolated/untrusted domains (Proxy-RADIUS)?

NAC authenticating to two isolated/untrusted domains (Proxy-RADIUS)?