Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor I
Posts: 247
Registered: ‎09-14-2011
Clearpass Admin Access Question

If I use the Clearpass Admin Access (Active Directory) wizard to add Read Only / Help Desk users and set it up like so:

 

CPPM Helpdesk.PNG

 

Will my local superuser admin account still work?

 

Thanks Gang!

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 8,445
Registered: ‎09-08-2010
Re: Clearpass Admin Access Question
Yes, local admin users will always work 

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 247
Registered: ‎09-14-2011
Re: Clearpass Admin Access Question

Thanks Cappi!!!

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor I
Posts: 247
Registered: ‎09-14-2011
Re: Clearpass Admin Access Question

Okay Cappi, riddle me this; I go through the wizard and set everything up, choosing our existing AD server that is already set up and with the appropriate AD groups. Yet it keeps failing. Access tracker keeps telling me it cannot find me in the local database. Why is it looking there when I thought we just set it up to look to AD for it?

 

Also, at the beginning of the wizard, it asks for a prefix, what prefix would that be?

 

(I am not an AD guy so this is new territory for me)

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Contributor II
Posts: 141
Registered: ‎05-12-2010
Re: Clearpass Admin Access Question
[ Edited ]

Under Configuration -> Services, the services are accessed in order from top to bottom. I believe that, by default, a new service is added at the bottom to minimixze disruption on a production server.

 

You can use the Reorser button to move your new service before others.

Bruce Osborne - Wireless Engineer
ACCP
Frequent Contributor I
Posts: 247
Registered: ‎09-14-2011
Re: Clearpass Admin Access Question

bosborne@liberty.edu wrote:

Under Configuration -> Services, the services are accessed in order from top to bottom. I believe that, by default, a new service is added at the bottom to minimixze disruption on a production server.

 

You can use the Reorser button to move your new service before others.


The reorder did the trick! Thanks Bosborne !

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
MVP
Posts: 500
Registered: ‎04-03-2007
Re: Clearpass Admin Access Question
Keep in mind that every modification to a service and/or addition of a service rewrites the radius.cfg file in the backend. Always best to make changes to production systems in maintenance windows... #duh

- Ryan -
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Contributor II
Posts: 141
Registered: ‎05-12-2010
Re: Clearpass Admin Access Question

Ryan,

 

Have you seen any issue makeing modificatons during producton?

 

Obviously, when addinfg a new role it is best to enter the role mapping last to minimize disruption.

Bruce Osborne - Wireless Engineer
ACCP
MVP
Posts: 500
Registered: ‎04-03-2007
Re: Clearpass Admin Access Question
It was an extraordinary disruption. Our identity team that provided our service account for LDAPS authorization neglected to disable password expiration. Our password expired, but services sustained because ClearPass maintained the LDAP sockets opened. When we modified a service, it rewrote the radius.cfg, causing the sockets to close and attempted to reopen. At that point, the password had already expired and authorization began to fail. Full wireless outage.

I only mentioned it so folks know that's what happens in the background. I didn't before, and now that I know that affecting one service can touch/affect them all, I'm much more cautious. I tread very lightly with ClearPass changes.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,445
Registered: ‎09-08-2010
Re: Clearpass Admin Access Question
Many times you will noticed requests that cannot be processed after making a
change at high traffic times.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: