05-30-2016 07:28 AM - last edited on 05-30-2016 07:33 AM by cjoseph
We have several domains, and are looking into using Clearpass for authenticating against AD with MSCHAPv2.
As it is stated that ClearPass must be joined to the domain, would this work if there was a one way trust between the domains.
05-30-2016 07:37 AM
You should add clearpass to all domains that you want to authenticate to. If you have multiple SSIDs, you can use ClearPass to first check what SSID the user is authenticating to and then only check the user's credentials against the domain that corresponds with that SSID.
If you have a single SSID for all users in all domains, you need the following:
- All users in all domains must trust the Clearpass radius certificate
- ClearPass must be joined to all domains correctly and be able to reach domains controllers in all domains. This means that DNS must be able to resolve resources from all domains
- All clients must be configured correctly to connect to that single SSID.
**Consolidating multiple domains into a single SSID involves alot of work and typically you should try to maintain whatever connectivity that exists and then migrate to a single SSID later.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs