One of the restrictions included is that NAC cannot search multiple domains using the same supplied username. Usernames that are requested for authentication can only match one AAA configuration line, that can only be matched to one LDAP configuration. Domain search root and configurations for integration with an Active Directory are contained in an LDAP configuration. LDAP configurations are determined by AAA entries in the NAC configuration. The AAA configuration lines in NAC manager determine how the user/machine will be authenticated. The username is used to match the AAA configuration lines, and determine which LDAP configuration will be used.
In order to determine the correct domain controller to search, the AAA configuration must have a unique domain included in the username in order to match it to the correct LDAP configuration to search the domain.
Ex. If there are two domains, blue domain and red domain, the AAA configuration should have a configuration for blue/* that points to an LDAP configuration configured to search the blue domain. It should also have another configuration for red/* that points to an ldap configuration configured to search the red domain. The NAC cannot search the blue and red domain at the same time, there must be a differentiator in the username supplied to determine which domain is to be searched.
There are additional restrictions when in a 802.1x environment where NAC the the terminating RADIUS server. In this environment NAC performs an NTLM authentication to the Active Directory to complete the 802.1x authentication. Requirements for the NTLM authentication to complete normally are that the NAC appliance must join itself to the active directory. The NAC can only join itself to one Active Directory domain. In the case of multi domain environments the domains must have two-way and transitive trust configured in order for the NAC to complete NTLM to the domain controllers. Without two-way and transitive trust enabled on the domains the NAC will not be able to authenticate a user to a domain that it has not joined. For NTLM authentication environments the NAC must have AAA lines to differentiate users by domain, described previously, and the domains must have two-way transitive trust enabled between domains.