Security

Hi!

I´m having trouble with AD over SSL. I´ve created a certificate for the clearpass server from AD CA and uploaded it, also added CA to trust.

The clearpass server is member of 2 active directories.

As soon as I choose: "Enable to verify Server Certificate for secure connection" . The source fails.With errormessage: "Can't contact LDAP server"

But I can use it fine running AD SSL over 636 without this option no problem.

Clearpass and AD server is in the same subnet.

Any tips for troubleshooting ?

Is the connection still running encryptet without this option enabled ?

Do you also have the root from the CA that issued the DC cert in the Clearpass trust list ?

Launching a packet capture on the CPPM node and analysing what is being presented by the DC could be a good thing too.

Cheers,

As said, you need to import and enable the root CA that issued the certificate for your LDAPS. The problem likely lies in here.

If you like to see the process in a video, check here.

Hi!

Thanks for the tips, I´ve installe the root cert so that wasn´t the problem.

I´m embarrassed to say but it turns out that the AD-servers where added as sources with ip instead of DNS-name.

The log details in access tracker showed:  ERROR RadiusServer.Radius - rlm_ldap: TLS: unable to get CN from peer certificate

Which clued me in. Pretty obious in the end :)