Here is our setup.
domainA.com domain trust with domainB.com with selective authentication. ACLs are in place on OU's that contain computer objects which have 'allowed to authenticate' enabled. Users from the trusted domain are allowed to only authenticate to the appropriate computers.
How would we get devices, that cannot be joined to the domain, to authenticate users? Cisco VPN, for example. Since the device is using a bindDN etc which points to a DC would this just need the same 'allowed to authenticate' permission on the domain controllers? Is there any security risk to this?