Introduction : This article talks about scenarios when we have multiple domains in our network and we do not want to add CPPM to multiple domains.
Environment : This article applies to all versions of CPPM.
We have Clearpass, and it is authenticating users on their primary domain today. We also have a number of other domains as well which currently is being serviced by MS NPS. We don’t have the DC’s joined to the other domains, and NPS is authenticating users from the other domains just fine.
How would we recommend setting this up with Clearpass?
If the domains have proper trust relationships with each other CPPM would be able to authenticate users in all the domains just by joining CPPM to a single domain which has trust relationship with all the other domains.
We might have to configure authentication sources individually for all the domains though unless we have a Global Catalog Server that can do user lookups across the whole forest.
Looking up users in an AD authentication source can take 1-2 seconds as it is an operation that goes out of CPPM. So configuring and having to cycle through "N" authentication sources ( if we have "N" number of domains) to find a user may cause timeouts. It would be better if we could define "N" services based on username prefixes ( rather than adding only one service), which would usually be of the form DOMAIN\username if the client systems are configured to authenticate using Windows credentials and PEAP+MSCHAPv2. We can use the below condition..
Radius:IETF | User-Name | BEGINS_WITH | <your_domain_1>\
An authentication source that points to the DC of that particular domain can be added to the service to make the lookups quick and successful
Note that authentication source configuration is different from joining CPPM to a domain. The domain join is used for actually authenticating MSCHAPv2 while authentication source configuration is used for user lookup and attribute fetching.