Security

I'm trying to get a clearpass registered in AD but running into some issues. When trying to resolve the NETBIOS name is fails with error: ads_connect: No logon servers

Clearpass is behind a firewall. I requested that the required ports be opened (according to http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/What-are-the-ports-that-need-to-be-opened-on-the-network/ta-p/175872) but still no luck.

When I do a packet capture during the join attempt I can see Clearpass doing DNS (and getting answers).

I can also see CLDAP (udp 389) searchRequest for "<ROOT>" baseobject to the domain server but it appears nothing is being returned even though routing seems ok.

Finaly I also see some netbios queries (only queries, no answers) coming from both data and mgmt interfaces where I only use mgmt for everything but guest traffic.

So, what is going wrong here? What exactly is being used to resolve that NETBIOS name?

It might be worth adding a route to the domain controller (or domain controller subnet) over a particular interface.

Hi ,

Generally we see such error message if AD is not reachable, could you try do a testjoin from CLI

Tests if Policy Manager is a member of the AD domain.
Syntax
ad testjoin

Try join the AD from CLI

Joins host to the domain.
Syntax
ad netjoin <domain-controller.domain-name>

Thanks all, lesson learned, trust your own pcaps over fw guys :P

Needed ldap, opened only sldap