You can join CPPM to an Active Directory domain to authenticate users and computers that are members of an Active
Users can then authenticate into the network using 802.1X and EAP methods, such as PEAP-MSCHAPv2, with their
own their own AD credentials.
Joining CPPM to an Active Directory domain creates a computer account for the CPPM node in the AD database.
If you need to authenticate users belonging to multiple AD forests or domains in your network, and there is no trust
relationship between these entities, then you must join CPPM to each of these untrusting forests or domains.
There is no need to join CPPM to multiple domains belong to the same AD forest because a one-way trust relationship
exists between these domains. In this case, you join CPPM to the root domain.
Environment : This Knowledge base is written for CPPM 6.x version.
Configuration Steps : Browse to Administration » Server Manager » Server Configuration and click on the server which we need to add to Domain.
Click on "Join Domain" and enter the details below.
Domain Controller : Fully qualified name of the Active Directory domain controller
Domain Controller name conflict :In some deployments (especially if there are multiple domain controllers, or if the domain
name has been wrongly entered in the last step), the domain controller FQDN returned by
the DNS query can be different from what was entered.
In this case, you may:
i: Continue to use the domain controller name that you entered
ii:Use the domain controller name returned by the DNS query
iii:Abort the Join Domain operation.
Use default domain admin user: Check this box to use the Administrator user name to join the domain
User Name: User ID of the domain administrator account
Password: Password of the domain administrator account
Hit "Save" and the CPPM will be joined to the Domain.
Troubleshooting : A common issue noticed while adding CPPM to domain.
Below is the complete error message.
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN 'ad.clearpass.aruba.
INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
INFO - Using Administrator as the AD's username
Enter Administrator's password:
[2013/08/23 03:10:15, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.
Minor code may provide more information : Clock skew too great
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor
code may provide more information : Clock skew too great
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CLEARPASS'
ERROR - Aruba_CPPM_6.2 failed to join the domain CLEARPASS.ARUBA.COM with domain
controller as ad.clearpass.aruba.com
Join domain failed
This will be fixed if the time on Active Directory is same as the time on CPPM.
On CPPM we can change the time by browsing to "Administration » Server Manager » Server Configuration" and clicking on "Set Date & Time"
We can either manually update the time or synchronize it with a NTP server.
NOTE: Changing the date/time will cause the services to restart.