Radius Client Behavior

  • 1
  • Question
  • Updated 5 years ago
  • Answered
I have a use case which requires authentication from two Active Directory domains. Most authentication requests will be handled from domain A, but occasionally a user in domain B will need to login. We wish to have one SSID for this to happen. Unfortunately, domain trusts are not in place. Could I configure a "Primary" NPS server for authenticating in domain A, and a "Backup" NPS server for domain B? Does/can the Access point attempt authentication from the "backup" server if a reject message is received from the primary? If not, can you provide some suggestions for a configuration that might allow one to authenticate users in multiple domains for one SSID?

Thanks!
Photo of runcmd

runcmd

  • 7 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
This will not work for mixed clients from both domains as the failover behaviour is not on a per-connection attempt basis, it is a global behaviour when the server being attempted is deemed to not be responding.

It would furthermore require the RADIUS server to not respond to those in the other domain, causing a timeout, rather than rejecting the access request for failover to actually happen. A reject is considered an authoritative response so other servers will not be tried.

To solve your problem, if trust cannot be established, I suggest using a RADIUS proxy that can appropriately route the requests as an intermediary - a hybrid deployment is possible where you handle requests for the member domain locally and proxy others to another RADIUS server in the other domain.
Photo of runcmd

runcmd

  • 7 Posts
  • 0 Reply Likes
Thanks, Nick. I'm looking to setup some rules for a radius proxy now. Thanks for your assistance.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The thing to be mindful of really is the need to have the domain/realm specified in the username - obviously, it must always be qualified for it to be able to be matched to be routed.

It can come in various forms which ought to be handled:

user@domain
domain\user
user@fully.qualified.domain.name
fully.qualified.domain.name\user

If you are using certificates, it comes in a different form again as a principal name:

For example, host/foo.fully.qualified.domain.name
Photo of runcmd

runcmd

  • 7 Posts
  • 0 Reply Likes
Indeed, but I don't see really any way around it. I've got the forwarding setup and it works well. Thanks again for your input!