RADIUS to multiple ADs

  • Last Post 12 November 2015
eccoleman posted this 10 November 2015

Hello,   We have a relatively stable configuration where we have our wireless WPA2-Enterprise authentication using UNIX-based Free-RADIUS servers passing on authentication over MS-CHAPv2 to our AD domain controllers (a dedicated site, in fact, due to NTLMv1 mitigation).  Users enter their AD credentials (samAccountName and password, or UPN and password). However, we have a business case where we need to authenticate on the same wireless network to the corresponding AD’s for our other campuses.  We have cross-forest trusts in place between the campuses, but clearly RADIUS is not going to honor them. Has anyone had success pointing RADIUS to multiple back-end AD’s?  Conditional based on UPN suffix?  Or is it time to just redesign the entire infrastructure?  Would the Windows-based NPS work better for cross-forest authentication for wireless?  If anyone has this kind of multi-campus setup, what have you used?   Thanks in advance!


Erik Coleman Identity and Access Management at Urbana (IAMU) Technology Services University of Illinois at Urbana-Champaign  

Ravi.Sabharanjak posted this 12 November 2015

If you use a windows radius server, will using a condition - must be a member of "Authenticated Users" group -  get you what you need?
Windows radius servers can support group memberships as a condition, and I was driving towards leveraging a group membership that all your users would have, even though they are in different domains...