Mustafa,

While you can configure multiple RADIUS servers in a ranked list per WLAN, the WLC will only try the currently active RADIUS server for that WLAN unless it is unreachable. If it is reachable a user does not exist per that RADIUS server's directory lookup, then the WLC will not try another RADIUS server to see if the user exists there.

You need to handle this from the RADIUS server or from the AD. I can think of two ways to solve this problem. There are probably other ways to do it.

• If you are using ACS, you can set up an Identity Sequence so that an access policy tries the first identity store and then the second if the first does not turn up the user. Here is a link to a post that explains how to do this--there is a little trickiness involved because ACS 5.x only supports one domain, but by configuring LDAP for the second domain, you can make this work: https://supportforums.cisco.com/message/3366422#3366422

• If memory serves, then with two AD domains, you can set up a trust so that Domain A trusts Domain B. Authentication requests to the DC in Domain A will try both its local user store and the store of Domain B. This removes the requirement of configuring multi-domain authentication on the RADIUS server because it's handled at the directory level. Here's a link explaining AD trust relationships: http://technet.microsoft.com/en-us/library/cc731335.aspx

Justin