Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2774
Views
0
Helpful
4
Replies

wireless authentication using multiple AS domains

mustafa.s.raza
Level 1
Level 1

‎03-14-2012 05:04 AM - edited ‎07-03-2021 09:47 PM

The users belong to

Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server. Please advise

Thanks

Sent from Cisco Technical Support iPhone App

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Justin Kurynny
Level 4
Level 4

‎03-14-2012 08:05 PM

Mustafa,

While you can configure multiple RADIUS servers in a ranked list per WLAN, the WLC will only try the currently active RADIUS server for that WLAN unless it is unreachable. If it is reachable a user does not exist per that RADIUS server's directory lookup, then the WLC will not try another RADIUS server to see if the user exists there.

You need to handle this from the RADIUS server or from the AD. I can think of two ways to solve this problem. There are probably other ways to do it.

  • If you are using ACS, you can set up an Identity Sequence so that an access policy tries the first identity store and then the second if the first does not turn up the user. Here is a link to a post that explains how to do this--there is a little trickiness involved because ACS 5.x only supports one domain, but by configuring LDAP for the second domain, you can make this work: https://supportforums.cisco.com/message/3366422#3366422

  • If memory serves, then with two AD domains, you can set up a trust so that Domain A trusts Domain B. Authentication requests to the DC in Domain A will try both its local user store and the store of Domain B. This removes the requirement of configuring multi-domain authentication on the RADIUS server because it's handled at the directory level. Here's a link explaining AD trust relationships: http://technet.microsoft.com/en-us/library/cc731335.aspx

Justin

0 Helpful

mustafa.s.raza
Level 1
Level 1
In response to Justin Kurynny

‎03-21-2012 03:47 PM

Justin

If we create multiple domain trust. Is there a limit? How about if they are mire than two domains?

I know crazy senario.

What else can be done to simplified multi domain ad authentication issue?

Thanks

Sent from Cisco Technical Support iPhone App

0 Helpful

Justin Kurynny
Level 4
Level 4
In response to mustafa.s.raza

‎03-21-2012 09:10 PM

Mustafa,

Yes, if I remember correctly, you can set up multiple trusts with Active Directory domains at the forest/domain level, e.g., A trusts B, A trusts C, A trusts D, etc. This could add processing and authentication time as your RADIUS server and AD move through several directories to find a match, but who knows, it may be quick as 2008 is considerably more advanced than 2000, when I last touched domain trusts.

Justin

0 Helpful

mustafa.s.raza
Level 1
Level 1

‎03-31-2012 04:30 PM

Thanks Justin

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card