Link to home
Start Free TrialLog in
Avatar of dwetherby

asked on

Authenticating users from subdomains against RADIUS in forest root domain

We have created a new IAS Radius server in our parent domain for authentication of Cisco VPN clients.  I would like to add the capability to have the child domains use the radius server on the parent domain for authentication.  I have the AAA-server setup on the ASA5510 on one of the Routers to use for testing.  I opened up the ports on the parent domains firewall and pointed them to the IAS server.  For some reason I cannot get the aaa-server on the cisco asa5510 to authenticate against the radius server on the parent domain.  I have tried using the ip for the ias server and the parent domains router IP.  I am clearly hitting a wall at this point and would like some input from those smarter than I on this subject.  I do have the Radius authentication working perfectly on the parent domain but I was hoping to get this working on the child domains without installing IAS server on each domain.  
Zone changed to include Routers by Netminder 29 Jul 2008

Open in new window

Avatar of dwetherby


I am actually shocked that no one can answer this question!  If I could get someone to at least take a gander at this question, then I could possibly clarify the question further.
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I was trying to avoid adding the Radius servers on the child domains, but I will definitely do that if necessary.  I was  thinking that I could add the routers from each of the child domains as clients and then configure it that way.  I have tried to open up ports on each of the routers/firewalls but to no avail.  I get the authentication prompt and then I get disconnected.  If I try to run the test from the child router, I get no response from the authentication server.  I am sure that there is something simple that I am missing.  Tomorrow I will try installing the IAS s/w on the child domain controller and see if that helps at all.  I really appreciate any suggestions you can give me.


Dave W.
OK - but im confused? you mean you are adding the routers as authentication agents?
or are you tring to terminate a VPN on the router?
I was hoping to use the IAS server on the parent domain and then point the child AAA-servers to the parent domain for authentication.  I have decided to just install the IAS server on each of the domains as this seems to be the easiest way to do it.
I appreciate your help on this matter.  I was hoping to avoid installing the IAS s/w on all the servers, but that did the trick.  My original goal was to have the server in the parent domain be the Radius server and then have all the AAA servers/routers authenticate off that server.  Ah Well!  Once again thanks!