This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC authenticating to two isolated/untrusted domains (Proxy-RADIUS)?

NAC authenticating to two isolated/untrusted domains (Proxy-RADIUS)?

Thomas_Pasim
New Contributor

‎02-04-2016 08:56 PM

Hello,

We are in planning stages of implementing a single NAC appliance at a new common location where users/desktops are members of two untrusted AD domains.

Someone suggested a Proxy-RADIUS 802.1x authentication solution. We are not sure how this will work with 802.1x and DHCP since the two AD domains are not trusted and invisible to each other...? There is no possibility of any trust relationship between the domains even a federated trust...

Microsoft NAP?

Does anyone have any suggestions or faced the same problem ?

Thank You in advance.

0 Kudos
7 REPLIES 7

Thomas_Pasim
New Contributor

‎03-04-2016 12:04 PM

Adam,

Thank You, Currently I am testing the dual untrusted domain with 802.1x Auth. type and Auth. method LDAP. So the correct way is to change the Method from LDAP to Proxy RADIUS?

0 Kudos

Rainer_Adam
New Contributor III

‎03-04-2016 07:38 AM

You can also handle this based on the domain with the users are trying to logon, You have to define access to both domain controllers as Radius server and the make rule matrix entries where you are asking for the domain of the user, for example if the username contains "@extremenetworks.com" sent this requests to Radius server 1 if the username contains "@test.com" sent the requests to radius server 2. I have implemented such a solution once at one customer.

0 Kudos

Matthew_Hum1
Extreme Employee

‎02-08-2016 12:31 PM

you shouldn't need to change anything on your DHCP server. And you should be allowed to have more than one IP helper per address. this is how DHCP redundancy is performed, with multiple DHCP servers. a single DHCP server is arguably a bad idea, as it is a single point of failure in your network. if your DHCP server goes down, no one will be able to receive an IP on joining/connecting. That said, 2 separate domains do not need separate DHCP servers, because IP space is independent of user auth domains. Adding NAC as an additional DHCP server will just snoop and listen in on the requests to gain the MAC-to-IP binding as well as hostname and device profiling information. NAC will NOT respond and offer DHCP leases.
0 Kudos

Thomas_Pasim
New Contributor

‎02-08-2016 11:58 AM

Matthew Thank You again,

One last question ? DHCP Microsoft server in the above common network with two domains, should not require any special configuration? IP helper can only point to one dhcp server per interface.

Common network model architects want only a single DHCP server for both domains that don't trust/see each other.

0 Kudos
GTM-P2G8KFN