AAA, NAC, Guest Access & BYOD

How to join ClearPass to an Active Directory domain

Aruba Employee

Introduction:

 

You can join ClearPass to an Active Directory domain to authenticate users and computers that are members of an Active
Directory domain.

Users can then authenticate into the network using 802.1X and EAP methods, such as PEAPv0/EAP-MSCHAPv2, with their
own their own AD credentials.

Joining ClearPass to an Active Directory domain creates a computer account for the ClearPass node in the AD database.

If you need to authenticate users belonging to multiple AD forests or domains in your network, and there is no trust
relationship between these entities, then you must join ClearPass to each of these untrusting forests or domains.

There is no need to join ClearPass to multiple domains belong to the same AD forest because a one-way trust relationship
exists between these domains. In this case, you join ClearPass to the root domain.

 

Environment

This Knowledge base is written for CPPM 6.x version.

 

Configuration Steps : Browse to Administration » Server Manager » Server Configuration and click on the server which we need to add to Domain.

rtaImage.png

Click on "Join Domain" and enter the details below.

rtaImage.png



Domain Controller : Fully qualified name of the Active Directory domain controller

Domain Controller name conflict :In some deployments (especially if there are multiple domain controllers, or if the domain
name has been wrongly entered in the last step), the domain controller FQDN returned by
the DNS query can be different from what was entered.
In this case, you may:
i: Continue to use the domain controller name that you entered
ii:Use the domain controller name returned by the DNS query
iii:Abort the Join Domain operation.

Use default domain admin user: Check this box to use the Administrator user name to join the domain

User Name: User ID of the domain administrator account

Password: Password of the domain administrator account

Hit "Save" and the CPPM will be joined to the Domain.

 

Troubleshooting : A common issue noticed while adding CPPM to domain.


rtaImage.png

Below is the complete error message.

-------------------------------------------------------------------------------------------------------------------------------------------
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN 'ad.clearpass.aruba.
com'
INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
INFO - Using Administrator as the AD's username
Enter Administrator's password:
[2013/08/23 03:10:15, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.
Minor code may provide more information : Clock skew too great
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor
code may provide more information : Clock skew too great
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CLEARPASS'
ERROR - Aruba_CPPM_6.2 failed to join the domain CLEARPASS.ARUBA.COM with domain
controller as ad.clearpass.aruba.com
Join domain failed

-------------------------------------------------------------------------------------------------------------------------------------------------------
This will be fixed if the time on Active Directory is same as the time on CPPM.

On CPPM we can change the time by browsing to "Administration » Server Manager » Server Configuration" and clicking on "Set Date & Time"

rtaImage.png

We can either manually update the time or synchronize it with a NTP server.

NOTE: Changing the date/time will cause the services to restart.

Version history
Revision #:
4 of 4
Last update:
‎07-06-2017 04:04 PM
Updated by:
 
Comments
bahaa43

i have tried to joine the AD domain and have the error 

Enter bha2's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'ASLNET'
ERROR - MTC_clearpass failed to join the domain ASLNET.NET with
domain controller as aslnet.net
Untitled.jpg

could you help me to join AD

 

Try joining directly to a domain controller instead of using the DNS response.
bahaa43

thanks  for you but i don't know how to do this (join without DNS) 

NetNerd

Use the FQDN of a domain controller in the "Domain Controller" field. I had the same result as you when I used [mydomain].com. It worked when I used [adomaincontroller].[mydomain].com

bahaa43

thanks alot NetNerd , it works good 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: