Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server. Please advise
Re: wireless authentication using multiple AS domains
While you can configure multiple RADIUS servers in a ranked list per WLAN, the WLC will only try the currently active RADIUS server for that WLAN unless it is unreachable. If it is reachable a user does not exist per that RADIUS server's directory lookup, then the WLC will not try another RADIUS server to see if the user exists there.
You need to handle this from the RADIUS server or from the AD. I can think of two ways to solve this problem. There are probably other ways to do it.
If you are using ACS, you can set up an Identity Sequence so that an access policy tries the first identity store and then the second if the first does not turn up the user. Here is a link to a post that explains how to do this--there is a little trickiness involved because ACS 5.x only supports one domain, but by configuring LDAP for the second domain, you can make this work: https://supportforums.cisco.com/message/3366422#3366422
If memory serves, then with two AD domains, you can set up a trust so that Domain A trusts Domain B. Authentication requests to the DC in Domain A will try both its local user store and the store of Domain B. This removes the requirement of configuring multi-domain authentication on the RADIUS server because it's handled at the directory level. Here's a link explaining AD trust relationships: http://technet.microsoft.com/en-us/library/cc731335.aspx
Yes, if I remember correctly, you can set up multiple trusts with Active Directory domains at the forest/domain level, e.g., A trusts B, A trusts C, A trusts D, etc. This could add processing and authentication time as your RADIUS server and AD move through several directories to find a match, but who knows, it may be quick as 2008 is considerably more advanced than 2000, when I last touched domain trusts.
We are moving! Please use WLCCA Forum for updates and discussions
[toc:faq] Wireless LAN Controller (WLC) Config Analyzer Download Click
here to Download To request access, send an e-mail to
firstname.lastname@example.org. Please include your Cisco.com userna...
[toc:faq] IntroductionHere is the step by step process that we have to
take care of while converting LWAPP to IOS and then vice versa..LWAPP to
IOSThe hardware used = 1141 AP (make sure we are using the right
[toc:faq] Introduction AnyConnect Secure Mobility Client 3.0: Network
Access Manager & Profile Editor on Windows Summary Use the Cisco
AnyConnect Network Access Manager Profile Editor to build custom
profiles for the AnyConnect Secure Mobility Client. App...