Security

Hello!

Here comes something that I was tried to solve for a long period of time but without success.

Scenario:

• Domain 1 - MS AD, 2xNPS.site-1 for authentication of wireless clients (802.1x), SSID=EDU, Building 1, VirtualAP-1
• Domain 2 - MS AD, 2xNPS.site-2 for authentication of wireless clients (802.1x), SSID=EDU, Building 2, VirtualAP-2
• Clients has a computer name like "name.domain1.com" and "name.domain2.com"
• Aruba 7220 controller

Problem:

Wireless clients from "Domain 1" are in "Building 2" and can not authenticate to "Domain 1" becouse of different NPS servers and domain of course and vice versa. Observe that SSID has same name.

Both domains connects to same Aruba controller so, it must be possible, somehow, to redirect wireless clients to right domain and NPS.

We don't have ClearPass.

Please help if You have some idea on how to solve this.

You should use a match group on the ArubaOS side:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/AAA_Servers/Server_Groups.htm#aaa_servers_3503549366_1049368

Thanks for reply.

I think that is not exactly what I need to solve problem, maybe I am wrong so please tell me if I am.

Check the attached image - this is a problem.

I agree with cjoseph that the match-group feature under the RADIUS server-group on the controller should resolve this.

Alternatively you would need to create a RADIUS proxy on NPS.domain1 for domain2 point at NPS.domain2.

The reverse would also be required i.e. RADIUS proxy on NPS.domain2 for domain1 pointing at NPS.domain1.

Hi!

Thanks for reply but... I don't understand this, sorry.

Please, this is easy for you guys but try to explain a little better.

When I look in the manual I can't find anywhere where I can point to the another radius server.

The only thing I can do is to create a rule in the server group for Domain 2: authstring -> contains> domain1.com

What should I do next? 

What do You mean by match-group?

To fix RADIUS proxy is not a option becouse we need to have a trust between domains and that's not relevant right now.

You can use the AuthString option to match the domain.

So you would have both NPS servers in the server-group with NPS1 having an AuthString contains domain1.

Also you would have NPS2 with an AuthString contains domain2.

This should cause the controller to send requests to the appropriate NPS server for the domain.

---

@AirAO wrote:

Hi!

 

Thanks for reply but... I don't understand this, sorry.

 

Please, this is easy for you guys but try to explain a little better.

 

When I look in the manual I can't find anywhere where I can point to the another radius server.

The only thing I can do is to create a rule in the server group for Domain 2: authstring -> contains> domain1.com

 

What should I do next? 

What do You mean by match-group?

 

To fix RADIUS proxy is not a option becouse we need to have a trust between domains and that's not relevant right now.

 

---

AirAO,

Radius proxy has nothing to do with trusts between domains.  It is only a rule on one radius server pointing to another radius server for a particular domain:

http://technet.microsoft.com/en-us/library/cc772591.aspx

http://technet.microsoft.com/en-us/library/dd197525(v=ws.10).aspx

Hi again!

It works now! Thanks for your explanations dg27 and cjoseph!

I missed to add line with filter-id in "Server rules" section för Domain 1.