Trust question - Cisco NAC and domains

Hi everyone, I will try to explain this without confusing anyone because
it confuses me a little myself.

We have DomainA which is currently setup to authenticate (SSO) to our
NAC device against our PDC.  This works fine for our users that
currently have a logon account in DomainA.

Recently we have aquired 2 more sister companies. DomainB and DomainC.

DomainA has a 2 way trust with DomainB
DomainA has a 2 way trust with DomainC
DomainB and DomainC have no trust between them

We require that all users authenticate through our NAC device using SSO
and their logon credentials.

So we need any user from DomainB and DomainC to be able to authenticate
in the same way.

They are claiming that with the trusts in place as mentioned above the
user should be able to log into DomainB or DomainC and automatically be
authenticated through the NAC to DomainA.  Ofcourse this is not
working.

When the user logs into either DomainB or DomainC the agent cannot
authenticate them to DomainA.  I was under the assumption this is
correct, but they insist that since there is a trust that it should
work.

The way that NAC works, in the setup you specify the PDC to
authenticate to specifically which is a DC for DomainA.  

I keep telling them I dont think just because there is a trust in place
between the domains that NAC will work that way.  I know that as far as
resources go (Servers, printers, shares, ect) this is the correct
configuration, but to authenticate through the NAC they HAVE to have an
account in DomainA so that when the tocket is passed to the NAC device
it can then validate the ticket to DomainA and allow for netowrk
access.

If a user logs into DomainB and that ticket is passed to the NAC
device, the NAC device will look at DomainA to see if there is a user
matching the ticket that was sent to allow for authentication.

What I want to know is if the user logs into DomainB and that ticket is
sent to the NAC device and the NAC device looks at DomainA and cant find
a user that matches, how do you configure the DomainA (since there is a
trust) to check both DomainB and DomainC to see if there is a user that
matches the ticket sent???

I read something online about TGT and Kerberos trusts, but I am not
even sure that will solve our issue.

The only options that we have at this point is to create a generic
authentication account in the NAC device for each domain, but that
defeats the whole purpose of being able to see who is authenticated
because it would show up as a generic account and not who is actually
logged in (user@DomainA.com) and there are 200+ people that would do
this.

The other option we have is to created LDAP path options in the Cisco
NAC agent that when prompted to authenticate to the network they could
pick which LDAP location (DomainB or DomainC), but I dont think this
will work either.

At all costs we want to be able to ensure that the users are
authenticated for network access and not exempt them from having to use
the NAC.

Like I said, typing this made me dizzy but any help would be greatly
appreciated!!

Jake


-- 
jak1890
------------------------------------------------------------------------
jak1890's Profile: http://forums.techarena.in/members/174258.htm
View this thread: http://forums.techarena.in/active-directory/1293223.htm

http://forums.techarena.in

0
jak1890
1/14/2010 8:59:07 PM
windows.server.active_director 902 articles. 0 followers. Follow

1 Replies
824 Views

Similar Articles

[PageSpeed] 56

Hello jak1890,

Users from DomainB and DomainC will authenticate to there own DCs and only 
if they try to access resources in DomainA, the trust comes into play, where 
the check will run if they are allowed.

See here about the way forest/domain access works:
http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 


> Hi everyone, I will try to explain this without confusing anyone
> because it confuses me a little myself.
> 
> We have DomainA which is currently setup to authenticate (SSO) to our
> NAC device against our PDC.  This works fine for our users that
> currently have a logon account in DomainA.
> 
> Recently we have aquired 2 more sister companies. DomainB and DomainC.
> 
> DomainA has a 2 way trust with DomainB
> DomainA has a 2 way trust with DomainC
> DomainB and DomainC have no trust between them
> We require that all users authenticate through our NAC device using
> SSO and their logon credentials.
> 
> So we need any user from DomainB and DomainC to be able to
> authenticate in the same way.
> 
> They are claiming that with the trusts in place as mentioned above the
> user should be able to log into DomainB or DomainC and automatically
> be authenticated through the NAC to DomainA.  Ofcourse this is not
> working.
> 
> When the user logs into either DomainB or DomainC the agent cannot
> authenticate them to DomainA.  I was under the assumption this is
> correct, but they insist that since there is a trust that it should
> work.
> 
> The way that NAC works, in the setup you specify the PDC to
> authenticate to specifically which is a DC for DomainA.
> 
> I keep telling them I dont think just because there is a trust in
> place between the domains that NAC will work that way.  I know that as
> far as resources go (Servers, printers, shares, ect) this is the
> correct configuration, but to authenticate through the NAC they HAVE
> to have an account in DomainA so that when the tocket is passed to the
> NAC device it can then validate the ticket to DomainA and allow for
> netowrk access.
> 
> If a user logs into DomainB and that ticket is passed to the NAC
> device, the NAC device will look at DomainA to see if there is a user
> matching the ticket that was sent to allow for authentication.
> 
> What I want to know is if the user logs into DomainB and that ticket
> is sent to the NAC device and the NAC device looks at DomainA and cant
> find a user that matches, how do you configure the DomainA (since
> there is a trust) to check both DomainB and DomainC to see if there is
> a user that matches the ticket sent???
> 
> I read something online about TGT and Kerberos trusts, but I am not
> even sure that will solve our issue.
> 
> The only options that we have at this point is to create a generic
> authentication account in the NAC device for each domain, but that
> defeats the whole purpose of being able to see who is authenticated
> because it would show up as a generic account and not who is actually
> logged in (user@DomainA.com) and there are 200+ people that would do
> this.
> 
> The other option we have is to created LDAP path options in the Cisco
> NAC agent that when prompted to authenticate to the network they could
> pick which LDAP location (DomainB or DomainC), but I dont think this
> will work either.
> 
> At all costs we want to be able to ensure that the users are
> authenticated for network access and not exempt them from having to
> use the NAC.
> 
> Like I said, typing this made me dizzy but any help would be greatly
> appreciated!!
> 
> Jake
> 
> http://forums.techarena.in
> 


0
Meinolf
1/14/2010 9:28:12 PM
Reply:

Similar Artilces:

Domian Local into Domain Admins Group
How do I make a 'Domain Local' security group which contains a Universal group from another domain, a member of the Global 'Domain Admins' group? DL's can't become a member of GG's Cosmo, you can not. Domain global groups can contain only users and global groups from the same domain... If you need to grant Domain Admins equivalent privileges to accounts from other domains, add them to the domain local Administrators group and local Administrators groups on all domain member computers... hth Marcin "Cosmo" <Cosmo@discussions.microso...

Office XP Exel
Scenario: User's A,B, C, and D all have access to an excel XLS on a 2003 server. Users A & B have modify rights, users C&D only have read rights. If user A updates the file, the general tab in properties reflect the exact time the file was modified. After user A saves and closes the file, user D goes in. The changes are there, but in the properties general tab, the modify date in an old date (probably the actual creation date). Is this normal ? Any idea's ? ...

Newbie question
'hello, can someone explain in plain English what this formula is actually saying: =IF(C32="FOB",(B28:C28/'Board Pricing and conversion'!B19)-B28,(B28/'Board Pricing and conversion'!B20)-B28) I understand the C32="FOB", but the rest I don't. I know it is referencing another spreadsheet but don't know what it is looking at?? Thanks bassman Double-click on the cell with the formula and you will see the syntax IF(logical_test, [value_if_true], [value_if_false]) You have a logical text for "FOB" on C32 of active sheet. If True the...

Simple Question-How to create more than one transaction on the Acc
If there is a question already posted let me know. The question is: I created a bank account information on the Account list icon and want to have more than (one)transactions listed and see each payee displayed separately on each page so i could have all the months posted with due dates and total listed. Thank you. In microsoft.public.money, a.j. wrote: >If there is a question already posted let me know. The question is: I created >a bank account information on the Account list icon and want to have more >than (one)transactions listed and see each payee displayed separately ...

Question about clip art, etc
Whenever I use clip art in Publisher or Word (2000) it says to insert the CD (#2) that has it on it. Which I do. Before I reinstalled WINDOWS a few weeks ago, and had to put everything in again, I had the clip art on my computer. So, if I needed something it was right there and I didn't need to keep putting in the CD. I have tried this several times, in Word (mainly, though I use clip art in Publisher too and have that function, using clip art, enabled- after it asked if I wanted to) The CD brings up the install and I click ADD OR REMOVE FEATURES and click on the clip art and "...

Relaying denied / Can't send to aol.com & cisco.com domains
We have 1 internal Exchange 2000 server for our only domain, dortfcu.org. When we try to send an email to anyone at the aol.com or cisco.com domain, their email server says 550 5.7.1 <email address>... Relaying denied. I think the issue is a dns issue and is due to the fact that I upgraded one of our 2 dns servers from windows 2000 server to windows 2003 server last weekend. NSLOOKUP of dortfcu.org with type=mx says that mail exchanger = smtp.dortfcu.org. The servers real name is dort2.dortfcu.org. So I guess this means my mx record is wrong? I don't have access to my ...

Scheduling formula question
I know both are the same equation. Which one is by definition ? "Duration = Work / Units" or "Work = Duration x Units". I have a three day task with a resource assigned (Max. Units 100%, Units:100%). All calendars are the default Standard base calendar; Hours per day is 9 hours. How do we build the equation to calculate 27 hours of work ? TBol -- To be technically correct, the Duration Equation formula is written as: Duration = Work/(Hours Per Day x Units) You find the Hours Per Day value on the Calendar page of the Options dialog, accessed by clic...

Winfax question before purchase
i dont know where else to place this and there have been alot of posts in here relating to winfax, so here goes: I run a business and all of the time we get customers telling us they faxed something, and we have no record of it. now sometimes they never sent it...sometimes they sent it upside down and we received it blank..sometimes we just lost it. I am thinking that Winfax might be a solution to my problems, but I need to know a few things. A. can I set up winfax so that I plug my fax line into my comp, it receives the fax, and automatically prints it out to my printer (functioning jus...

outlook in sub-domain to set use root-domain question!!!
Dear Sir Please see below more details,(We are using special railway line between Head office in Taipei and branch office in Tao-Yuan) Head office in Taipei: aaa.com(Root domain) Dc server * 2(One of it is GC Server), Front-End Exchange 2003 *1, Back-End Exchange 2003 * 2(One is named mail1, another is named mail2 ) Branch office in Tao-Yuan: bbb.aaa.com(sub-domain) Dc Server *1(No GC Server,No Exchange Server) After using ADMT v3 Tool, when I transfer an account from root named aaa.com(ou) to bbb.aaa.com. After I ins...

Subform question 04-09-10
I have a form (Form1) that contains a subform (Subform1). Within this subform I have a combo box which, depending on what is chosen, pops up another form (Popup1)for additional information. I need this additional information in the form that pops up to be 'linked' with the subform. The problem I am running into is that when the user enters information in Popup1, the table has not been populated witht he data that is in the subform so there is no record to 'link' to. What is the best way to force te esubform to pass its information to the table? Thanks i...

Input mask & Format question
Greetings I use the input mask \(999") "999\-9999 in the Phone field of my table. I wanted the brackets, space and dash stored in the table because the data is imported into other applications. 1234567890 is stored as (123) 456-7890. On one of my forms there is a combobox with fields CustID, CustName, Phone. My problem is how to format the phone number in the cbo. It shows up as 1234567890. Thanks in advance Becky Hi - Set the input mask to \(999") "999\-9999:0 (adding semicolon - zero). This forces the literals to be stored along with the other characters...

Sales for Outlook Web Site question
Does CRM 1.2 Sales for Outlook client utilize Cassini? If not, is it supposed to copy files to \inetpub\wwwroot\ or repoint the Default Web Site to another directory? I am getting errors clicking on the Activities, Accounts, etc. and the "Promote E-mail to CRM Activity" button... Yes, it uses Cassini on port 2525. No, files don't need to be copied to inetpub. Mike "Jim Scavuzzo" <NOSPAM-scavuzzoj@ecg-inc.com> wrote in message news:eTbk8jW9DHA.2044@TK2MSFTNGP10.phx.gbl... > Does CRM 1.2 Sales for Outlook client utilize Cassini? If not, is it > suppose...

PAB DOMAIN CHANGE for hundreds of address entries
Anyone know how to change all email domains in the PAB file at once? My company name changed with our emil domain and I have over 1000 entries. I'm looking to make a universal change, but cannot figure out how to import changes to PAB file. I can import to CONTACTS but not PAB, which I keep separate. Thanks. .. >Anyone know how to change all email domains in the PAB >file at once? Outlook 2000 and up don't use the PAB. -- Brian Tillman Smiths Aerospace 3290 Patterson Ave. SE, MS 1B3 Grand Rapids, MI 49512-1991 Brian.Tillman is the name, smiths-aerospace.com is ...

Installing CRM on a domain controller
Has anyone installed CRM on a server which is their domain controller? If so are you having any issues with Crystal Reporting? Do not install Crystal on the same server as CRM. >-----Original Message----- >Has anyone installed CRM on a server which is their >domain controller? If so are you having any issues with >Crystal Reporting? >. > Would this explain the following error in the event log: The port number specified for the server is already in use., The server has problems using TCP/IP. The port number you are using is probably already in use Also, doe...

Graph question #2
Hi Folks, Quick query with regards to how data is read by a graph. I have a sheet featuring the number of staff assigned to the call centre at 1/2 hour points throughout the day. This data is stored in a sheet called 'Data' and in cells D17, E17, F17 etc etc. The data within this page is not very well presented as it is run automatically from the system we use here so I have made a more presentable table and graph. For the table for each 1/2 i simply reference the cell in the data page so that all i have to do to update the sheet week by week is paste fresh data in. Using =Data!D17 t...

Question to a MSDN-Article (WordML)
Hi all, in ref. to the MSDN-Article "New XML Features of the Microsoft Office Word 2003 Object Model" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odc_wd2003_ta/html/odc_Wdnew2k3XMLOM.asp) I've got a few questions: 1.) They say, the first step to work with XML in a word document is to add the XML-Schema to the Application-Object. As I want to work with the WordML (Word Object Model), I suppose I need to load this Schema. But obviously I've got no xsd-file available. How can I manage to work with the WordML then? 2.) To extract text from a word documen...

Question about CListCtrl extended style
I have set the style: m_ListCtrl.SetExtendedStyle( LVS_EX_GRIDLINES | LVS_EX_CHECKBOXES ); What I want to get is: 1. when one item is selected, the check box should be checked; If one item is not selected, it should be unchecked. 2. If item is checked, it should be selected; if not checked, it should be unselected. How to do that? You will have to do this all yourself since that is not the default beheavor of a CListCtrl. The selection and checkboxs are normally independent of each other. But you can simply use a multi-select list control, and as the user checks or unchecks the checkb...

Update cell based on date range
Hey guys! I was wondering if I could get some help here. I would lik to update a cell based on a date range. For example, I would like t update the value of a cell to the value of another cell if the curren date is between July 1st and July 10th. However, if the date i outside the date range, I want the value for that cell to not b updated, and be the previous value. Can anyone give me an example a to how I would do this? Thanks!! -- deversol ----------------------------------------------------------------------- deversole's Profile: http://www.excelforum.com/member.php?action=geti...

Is possible to have two internet domains
I have two internet domains, domain1.com and domain2.com for example, i want to receive and send mail from both domains, is possible to make this configuration? Thanks Yes, it is but what your asking is vague. Are you setting up exchange, outlook, or what ? "Paul Hernandez" wrote: > I have two internet domains, domain1.com and domain2.com for example, i want > to receive and send mail from both domains, is possible to make this > configuration? > > Thanks In this moment i just thinking how to configure this, i have domain1.com and domain2.com, and i want t...

Publisher question
Can I change a Publisher file to a .jpg or .tif format? How? sally <sally@discussions.microsoft.com> was very recently heard to utter: > Can I change a Publisher file to a .jpg or .tif format? How? Publisher 2002 and 2003 you can go to File > Save As and select TIFF or JPEG format. Publisher 2000 or earlier you will need a third-party app like FinePrint (www.fineprint.com) or SnagIt (www.techsmith.com) -- Ed Bennett - MVP Microsoft Publisher "Ed Bennett" wrote: > sally <sally@discussions.microsoft.com> was very recently heard to > utter: > &...

Smarlist Questions
Hi All Does anyone know of a way to display the notes field in a smartlist? What i need is to have the text typed in the Notes (The OLE note) displayed in a smartlist. I have smartlist builder but I can figure out a way to link the two. Thanks Fliehigh Do you mean the record-level note? If so, link the NOTEINDX field in the appropriate master record to the same field in the SY03900 table and display the TXTFIELD column. An interesting feature of SmartList is that, although the note may only display one line on the screen, if you roll your cursor over it the entire note will pop up i...

Print preview question
When use preview the CR , how can I know the user press' print' button ? or press' export' button ? thanks "Sze" <abc@abc.com> wrote in message news:eGiRTfYgKHA.2188@TK2MSFTNGP04.phx.gbl... > When use preview the CR , how can I know the user press' print' button ? > or press' export' button ? > > thanks > > CR? Which print preview dialog are you using in what type of project? Hello Sze, Could you please let us know the Application context and elaborate the problem? By the way, we have migr...

Newbie question (:=)
When do I use :=? I googled it didn't come up with anything. Thanks.. The := is used for named arguments in procedure calls. For example, say you have a procedure like Sub AAA (A As Integer, B As Integer, C As Integer, D As Integer) ' code End Sub Then, you want to call this procedure. You would normally use code like AAA 123, 345, 567, 678 In this line of code, it isn't readily clear what the number signify. However, you can use named arguments to document the function call: AAA A:=123, B:=345, C:=567, D:=678 This makes the code self-documenting, e...

newbie question on drawing
Hi all, Could somebody please please please take pity on me and have a look at what I am doing and see where I am going wrong? This problem has been driving me up the wall for days. I am trying to create a windowless ActiveX control which performs animation using a separate thread. I've got it to work in windowed mode, I just create a device context in the thread function using the line: CClientDC dc(thisctrl) where thisctrl is the same as 'this' in the OnDraw function, just passed over in a structure, i.e. a pointer to the control's main class which is derived from C...

Please provide feedback about Workgroup/Untrusted domain production server protection using DPM 2010 RC
Please provide feedback about Workgroup/Untrusted domain production server protection using DPM 2010 RC. This feature supports backup of machines within your intranet which includes: 1. Workgroup machines 2. Machines in untrusted domains within your intranet Supported Scenarios .. Files .. System state .. SQL Server .. Exchange Server .. Hyper-V .. Small Business Server Unsupported Scenarios: .. Clustered servers (except for Exchange Server 2010) .. Mirrored servers .. Microsoft SharePoint .. Laptop .. System protection (BMR) .....