cancel
Showing results for 
Search instead for 
Did you mean: 

SA4500FIPS Accessing Multiple AD Domains

ICTServicedesk_
Occasional Contributor

SA4500FIPS Accessing Multiple AD Domains

Hi,

 

We are in the process of migrating 2 old AD Domains (A & B) into a new 3rd one (C).

 

Part of this project is to allow users of Domain C to login into network using NC via the SA4500. Using the smae OTP Authenticators that are used with login for Domain A.

 

Please ignore Domain B users as they don't use this solution yet.

 

I have setup a new login page and AD Auth Server for Domain C, this works fine.

 

A strange problem arises when a User logs in with Domain C credentials and with their OTP Authenticator, who doesn't have an account in Domain A. The SA authenticates the AD credentials fine but fails the 2nd check for the OTP Authenticator with the following errors 'Secondary authentication failed for Username from IP' & 'Login failed using auth server (Radius Server). Reason: Failed'. The odd thing is that looking through the audit logs on the server for the OTP Authenticator software the user has passed the credential check.

 

Any ideas would be greatly appreciated.

 

Our SA4500FIPS is running 7.1R10 if that helps.

 

Thanks,

 

Dan

3 REPLIES 3
jayLaiz_
Super Contributor

Re: SA4500FIPS Accessing Multiple AD Domains

Hi Dan,

 

Does the OTP authentication work when configuring that as the primary auth server ?

 

Has the SA been added as a radius client on the new domain C

 

Regards,

Jay

ICTServicedesk_
Occasional Contributor

Re: SA4500FIPS Accessing Multiple AD Domains

Hi Jay,

 

The SA is a member of the domain and I can see it's account in the correct OU.

 

I will try make the OTP Authentication the primary auth server for those logins, temporarly.

 

Regards,

 

Dan

zanyterp_
Respected Contributor

Re: SA4500FIPS Accessing Multiple AD Domains

Ate you requiring the user to put in their second username? Depending on how your RADIUS server is configured for OTP what you are seeing may be expected. If you don't want to get the username again, does the behavior change if you switch the variable on the secondary auth section of the realm from <user> to <username>?
Is the username format in the user access log just username or domain\username?