Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

AAA multiple domains

I have a client who wnats to put wireless in using PEAP, no problems there as my field is wireless.

The query is with their existing AAA, they are running ACS 5.2 (could be 5.1)

Now they want to extend the wireless to a second site which has a different domain in AD.

My  thoughts are that we can do this but we will need a seperate AAA  server. The AAA server is registered to a domain via certs so can only  be registered to a single domain. Also if we create the smae WLAN  clients would fail because the certs are different? Also if we just  added the new ACS to the WLAN clients would fail as they would receive a  fail message from the AAA server. The only way around it is to create a  second SSID with the new ACS server pointing at the new domain?

lastly and unfortunately I should know this, on a WLC can you create two SSIDs with the same name for different H-REAP Groups this would allow us to populate the AAA servers and have them point to different domains? Sorry I dont have access to my lab to test this at the moment!

Cisco Employee

Re: AAA multiple domains

Being I've never used ACS Im just throwing out some ideas of which may have been thought of based on messing with 802.1x, ASAs, Windows, and linux:

1.  users can authenicate with a domain/username option.  usually a default for most windows platforms.

2.  is there a concept of a "domain list" for ACS, if a user submits a username without a domain it can search all domains and return the results.

3.  multiple domains can share a common root CA, thus a single trust can be established for X domains.

4.  trusted domains in windows .. domain X can establish trust with another domain Y

HREAP, don't have a lab myself right now.....

CreatePlease to create content