Security

Hello!

First time for everything right? I have a SSID that needs to authenticate to two different AD's.

I have CPPM joined to both AD domains, and have one service with both of these as Auth Source.

The issue I face is that the same username exists in both AD's and it seems that the auth source ignores the domain I add to the username.

domain1\username1

domain2\username1

If I try domain2\user1 it results in a failed auth from domain1 and deny the user to log in.

I find this in the access tracker (modified names..)

rlm_ldap: searching for user domain2\username1 in AD:domain1
rlm_ldap: found user domain2\username1 in AD:domain1
....
rlm_eap_mschapv2: Received MSCHAPv2 Response from client
rlm_mschap: authenticating user username1, domain domain2
rlm_mschap: user username1 authentication failed
rlm_mschap: AD status:Logon failure (0xc000006d)
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 Why would it even look for the user in domain1 when I explicitly prefix the username with domain2? Does this imply some sort of trust between the domains?

Is there a fail-through mechanism or any other mechanism I should look at to get around this?

I don't really see another way to solve this so I need some assistance from you guys.

How do you have configured as backup AD server or as new authentication source ?

Please read this:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/What-is-the-best-way-to-authenticate-users-via-multiple-domains/ta-p/181644

A couple of things:

- You could decrease the Server Timeout to a lower value (You may want to verify this with TAC)

- Another that you might need to is that if theres no trust between the two entities you might want to add the second domain server as Password server 

Thanks Victor. I'll check out that page.

While waiting I ended up just creating a second service and added a test for the name of the domain in the radius:ietf:user-name. It gets the job done so I'm happy for now.