Share via

Can 2 different domains be using same radius server for authentication?

eddy sophian 26 Reputation points
2024-03-07T09:21:01.2633333+00:00

Hi

I would like to know if possible, to have 2 different domain to use same radius server for authentication. The radius are using certificate for authentication method.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2024-03-07T09:43:07.83+00:00

    Hi @eddy sophian

    Yes it's possible to provide authentication and authorization for user accounts that are not members of either the domain in which the NPS is a member or another domain that has a two-way trust with the domain in which the NPS is a member. This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy.

    For more information you can refer to the following article :

    RADIUS server and RADIUS proxy configuration examples

    Please don't forget to accept helpful answer

    0 comments
  2. Yanhong Liu 14,200 Reputation points Microsoft External Staff
    2024-03-08T07:20:12.0733333+00:00

    Hello eddy sophian,

    Thank you for posting in Q&A forum.

    Yes, it is perfectly possible for two different domains (e.g., two separate Active Directory domains or even two different identity management systems) to share the same RADIUS server for authentication, as long as they both support methods of authentication with certificates, such as EAP-TLS.

    In such a configuration, each domain will configure its network devices (such as wireless access points, VPN servers, etc.) to point to the same RADIUS server and provide the corresponding client certificate and server certificate. Each domain's clients (user devices) are required to install valid user certificates, which are issued by the respective domain's root of trust certificate authority.

    When the client tries to connect and authenticate, the RADIUS server verifies that the certificate provided by the client is legitimate, i.e., signed by a trusted CA, and is within the validity period. As long as the client certificate is valid, the RADIUS server is able to authenticate, regardless of the domain the client belongs to.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.