RE: 802.1x machine authentication trusted domains

Hi,

1. No, 2 domains exist in different DC, no parent and child, just two-way
trust.
2. All certificates are OK, Certificates installed on one ACS are from a root
CA trusted from machines from other domain and vise-versa. I am using machine
credentials towards AD and this is what fails. ACS could be integrated only
with one domain, but in the docs they say that if you have trusted domains,
this will work.
3. When using EAP/TLS (certificates only) authentication is OK. The problem is
that only one of the domains has fully implemented PKI infrastructure and we
need to use machine credentials PEAP/MSCHAP for the other domain laptops.

BR<
Lora

________________________________

From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Thu 4/2/2009 11:24 PM
To: Lora Ganeva
Cc: ccielab_at_groupstudy.com
Subject: Re: 802.1x machine authentication trusted domains

Hi Lora,

A few questions for you there:

1) I am not at all a Windows expert here but do the 2 domains exist of the
same Domain Controller? Or are you doing some hierarchical domain structure
there with a parent and child domains? The reason I ask is on ACS5.0, I
believe you can only connect to a single AD database, right?

2) This also means that the certificates you would install on ACS would only
be from one of the domains and not both, right? Well, if the answer to this
question is yes, then of course you cant authenticate to both domains
simultaneously but only one, right?

3) If your setup is such that your have (1st AD + 1st ACS in 1st domain) and
(2nd AD + 2nd ACS in 2nd domain) and clients in either domains work fine. Then
you have a laptop authenticate in first domain disconnected and reconnected to
the second domain, then you need to verify a few things there:
       i. do you have relevant certificates (personal and root (CA)
certificates for the machine) of any domain you try to authenticate to?
       ii. you need to confirm that the machine has joined the appropriate
domain when you try to authenticate it.

Let us know if this helps, else some more information about your setup might
help.

Sadiq

On Thu, Apr 2, 2009 at 8:40 PM, Lora Ganeva <lganeva_at_mobiltel.bg> wrote:

        Hi experts,

        I am dealing with a small pilot setup of 802.1x in two Windows trusted
        domains. Machine authentication with PEAP/MSCHAPv2 is being used and it is
        working fine in any of the domains separately. When a lapop from one of the
        domains is brought to another domain, authentication is not working. I am
        using Cisco ACS 5.0 and the logs are not really useful for this problem.
        Do you have any experience in such a deployment, i am not a Windows expert,
        but to my opinion the problem should be somewhere in the way that adclient
in
        the ACS is communicating with the Domain controller.

        thx in advance,
        Lora

        Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>

        _______________________________________________________________________
        Subscription information may be found at:
        http://www.groupstudy.com/list/CCIELab.html

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net