You can configure multiple Active Directory (AD) domains to authenticate users that reside on Active Directories that do not have trust between them. Additionally, you can configure multiple authentication rules so that if authentication to one fails, ExtremeControl can automatically attempt to authenticate against a second domain.
Requirements
Prior to configuring multiple AD domains:
- Ensure all AD servers communicate using DNS name.
- Validate multi-domain functionality works for your network.
Validating Multiple AD Domain Functionality
To ensure you can configure multiple AD domains for authentication on your network, ExtremeControl must be able to resolve all Directory service domains correctly. DNS resolution is required for multiple AD domain functionality to work properly. For example, if you are using a third-party DNS server (e.g. Infoblox), ExtremeControl is able to resolve all domains correctly. If one of AD’s is acting as a DNS server, configure it (using DNS conditional forwarding) to resolve other Domains.
Additionally, ExtremeControl runs the wbinfo command line tool to check the reachability of AD servers to which it joined. In this multi-join scenario, ExtremeControl runs wbinfo against all joined Directory Services.
Joining Multiple Active Directory Domains
After you verify you can configure multiple Active Directory domains on your network, perform the following to configure the functionality:
- Access the Advanced AAA Configurations tab.
- Select All Domains in the Join AD Domain drop-down list.
NOTE: If multiple Active Directory domains are configured, ExtremeControl attempts to join them all. - Select Add in the Authentication Rules section to open the Add/Edit User to Authentication Mapping window.
- Configure multiple authentication rules with an Authentication Method of LDAP Authentication in the Authentication Rules section.
- Select the Fall-through if Authentication Failed checkbox if you want ExtremeControl to attempt to authenticate a user against the next AAA authentication rule in the table if the current authentication rule fails or times out. If this checkbox is not selected and authentication fails, the user is not authenticated and ExtremeCloud IQ Site Engine does not attempt to authenticate using any other rules in the table.
- Select OK.
- Select Save.
ExtremeControl attempts to join to all Domains you configure in the AAA authentication rules. If ExtremeControl is not able to join to any Domains, then a timer runs and attempts to keeps trying to rejoin. When ExtremeControl joins a particular domain, then a separate health check timer runs to ensure AD server is reachable.
Multiple AD domains are configured and if you enabled fall-through for your rules, ExtremeControl automatically attempts to authenticate against the next rule in the table.
Important Note
If duplicate users exist in multiple Active Directory domains with the same password, the AAA rule(s) with user pattern (for example, Domain\*) needs to be configured for the user to match the domain name and use the AAA rule correctly.
For example, a user administrator exists in 2 Active Directory domain servers and the following is configured in AAA rule:
- All LDAP Authentication using Domain_A.com server - fall through enabled
- All LDAP Authentication using Domain_B.com server
When administrator joined, the Domain_B domain tries to authenticate the user. The administrator user is successfully authenticated to the Domain_A.com server because the user does exist in Domain_A.com server. To avoid this, configure the AAA rule with user pattern as seen below:
- User matching Domain_A\* (or *@domain_a.com) using Domain_A.com server - fall through enabled
- User matching Domain_B\* (or *@domain_b.com) using Domain_B.com server
For information on related help topics: