I am planning a NAC installation for a location with 5 branch sites. The NAC will be configured in a L3 Out-of-Band at the central site. The NAC is being used only for authentication and authorisation at this time and not posture assessment.
At the central site, there are multiple Active Directory forests and domains, some with trust, some without. I plan on connecting to each using LDAP to determine user role.
At the main site, depending on the user role, you will be placed in an associated VLAN. So user1 in domain1 will be in VLAN100, and user1 in Domain2 will be in VLAN200, etc. Guests will be in a guest VLAN.
However, at the branches, no such VLANs will be configured, and authenticated users will be placed into a single VLAN. At the branches the mojority of users would be the member of one domain only, while only one or two would be the member of another domain, so it just didn't make any sense to create VLANs for them.
I am looking for a way to have those users at the branches to belong to the differnent domain to log on, but be a member of the same VLAN as the other authenticated users. Guests loggin on, regardless of location, must be in the guest VLAN.