01-04-2017 05:01 AM
Can someone confirm to me whether it is possible to have 2 AD authentication sources, to 2 different ADs with only one ad join in place. (needs to have a secure connection to both auth sources).
Bearing in mind we're using EAP-TLS within EAP-PEAP.
Hope that makes sense.
Solved! Go to Solution.
01-04-2017 05:08 AM
It is not clear:
You are trying to join two AD sources but your are using EAP-TLS, which is certificate based. Please explain...
If you are trying to use two AD sources from two different AD domains, you need to join both domains.... Again, you are mentioning EAP-TLS...where does that come in?
What are you trying to do?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
01-04-2017 05:14 AM
Is there a trust between the domains?
Keep in mind that the AD "Authentication Source" is only used for authorization properties with PEAPv0/EAP-MSCHAPV2. The password check is done directly to DCs based on DNS queries or statically configured password servers.
01-04-2017 05:59 AM
Let’s try again:
So we currently have Clearpass joined to AD1, for client authentication we are using EAP-PEAP as our outer method and EAP-TLS for the inner. And authorizing to AD1. This work fine.
We need to introduce AD2, so we can authenticate separately managed devices and users. The issue is we don’t want to add clearpass to this domain. Can this be achieved?
A 1 way trust is in place between the ADs.
01-04-2017 06:03 AM
One thing to keep in mind is you'll want users to be authenticating with
their UPN. Otherwise you'll run into issues if a user has the same username
in both domains.
01-04-2017 06:22 AM