Return to home page
Decrease font size by 1 pointChange font to 8 pointChange font to 9 point (default)Change font to 10 pointIncrease font size by 1 point

Log in or log out
Tech Notes

Authenticating Across Multiple Domains

Technical Note 2190

Last Reviewed 02-Aug-2007
Applies to:
Mobility XE 5.00 and higher
 Printer-friendly version

Summary

This tech note describes how to configure your Mobility server installation to authenticate users from multiple domains, using either NTLM (Active Directory) or RADIUS.

NTLM

There are two ways to authenticate users from different Windows domains:

  • Establish a trust between the domains. With this configuration, the Mobility server authenticates users included in the domain group specified by the server setting Authentication—NTLM Global Domain Group. This group can contain members of other domains.

  • Use Proxy RADIUS. Without establishing a trust between multiple Windows domains there's no way to do native NTLM authentication to them. However Proxy RADIUS (described below) can be used to forward authentication requests to multiple RADIUS servers, each authenticating users against a different Windows domain.

RADIUS

Using RADIUS for authentication, you can configure Mobility to authenticate against a primary RADIUS server that forwards (proxies) the requests to other RADIUS servers. The other RADIUS servers can authenticate users against whatever databases they support (for example, Active Directory). Follow these steps:

  1. Configure the Mobility server for RADIUS authentication with the proxy RADIUS server. The Mobility server isn't aware that the requests are being proxied, so the Mobility configuration is the same as if it were talking to a stand-alone RADIUS server. See the Mobility XE System Administrator Guide for more details.

  2. Configure your RADIUS server to proxy RADIUS authentication to the other RADIUS server(s). Proxy RADIUS communications are configured entirely between the RADIUS servers: no additional configuration is required on the Mobility server.

    The proxy RADIUS server should be configured to route the authentication traffic based on the domain of the user. When Mobility authenticates a user with a RADIUS server, the username it sends is DOMAIN\Username, therefore you can set up the proxy distribution table based on the various domain names. See your RADIUS server's documentation for details on this configuration.

Related Information

2177

Setting Up Mobility Authentication

2150

Enabling RSA SecurID Connections for RADIUS

9979

NetMotion Mobility Technical Notes

Please comment on this technical note.