This article talks about creating a unique service for 802.1X authentication in an environment where we have multiple authentication sources.
Feature Notes :
This applies to all the versions of CPPM.
Lets consider that we have 25 authentication sources. Each being a single child domain ( Active Directory). We have multiple campus and users part of all the domains roam across different campus.
Configuration Steps :
We will create a basic 802.1X service for authentication and add all the 25 AD servers as authentication source. This should work fine but the maximum number of authentication sources that can be associated with a service is 24. This limit is not enforced by UI.
25 authentication sources in one service is too many. This will impact the RADIUS authentication processing time especially if the user is present in an authentication source down in the list.
We would see the below errors on the radius logs on CPPM. Radius service will be down and authentication would fail.
To avoid this we definitely need a better design. We can add all the child domains to a Global Catalogue and add Global Catalogue in the authentication source.
However if we cannot make any changes to the AD, we can use the below solution.
So how do we create a unique service?
As we are in multiple child domain environment, one user may be part of multiple domains.
So users will be recommended to login using the complete domain name ( email@example.com or aruba/user).
1: Create a basic 802.1X service using the template.
2: Make multiple copies of the same service.( one for each authentication source)
3: Add one AND condition in each service as shown below.
" Authentication:Full-Username = <Value>"
The generic service will look like below.
We will add one more condition under Service Rule as shown below.
Make sure to add that AD server as authentication source in this which is mentioned in the new rule.
We will have to create multiple services to handle authentication request for each authentication source.
Test with multiple clients and verify that correct service is hit.