Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

wireless authentication using multiple AS domains

The users belong to

Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server. Please advise

Thanks

Sent from Cisco Technical Support iPhone App

  • Other Wireless - Mobility Subjects
4 REPLIES

Re: wireless authentication using multiple AS domains

Mustafa,

While you can configure multiple RADIUS servers in a ranked list per WLAN, the WLC will only try the currently active RADIUS server for that WLAN unless it is unreachable. If it is reachable a user does not exist per that RADIUS server's directory lookup, then the WLC will not try another RADIUS server to see if the user exists there.

You need to handle this from the RADIUS server or from the AD. I can think of two ways to solve this problem. There are probably other ways to do it.

  • If you are using ACS, you can set up an Identity Sequence so that an access policy tries the first identity store and then the second if the first does not turn up the user. Here is a link to a post that explains how to do this--there is a little trickiness involved because ACS 5.x only supports one domain, but by configuring LDAP for the second domain, you can make this work: https://supportforums.cisco.com/message/3366422#3366422

  • If memory serves, then with two AD domains, you can set up a trust so that Domain A trusts Domain B. Authentication requests to the DC in Domain A will try both its local user store and the store of Domain B. This removes the requirement of configuring multi-domain authentication on the RADIUS server because it's handled at the directory level. Here's a link explaining AD trust relationships: http://technet.microsoft.com/en-us/library/cc731335.aspx

Justin

New Member

Re: wireless authentication using multiple AS domains

Justin

If we create multiple domain trust. Is there a limit? How about if they are mire than two domains?

I know crazy senario.

What else can be done to simplified multi domain ad authentication issue?

Thanks

Sent from Cisco Technical Support iPhone App

wireless authentication using multiple AS domains

Mustafa,

Yes, if I remember correctly, you can set up multiple trusts with Active Directory domains at the forest/domain level, e.g., A trusts B, A trusts C, A trusts D, etc. This could add processing and authentication time as your RADIUS server and AD move through several directories to find a match, but who knows, it may be quick as 2008 is considerably more advanced than 2000, when I last touched domain trusts.

Justin

New Member

Re: wireless authentication using multiple AS domains

Thanks Justin

Sent from Cisco Technical Support iPhone App

1554
Views
0
Helpful
4
Replies
This widget could not be displayed.