Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎08-02-2015

ClearPass 802.1x authentication with AD

Hi all,

 

We're using CPPM v6.3.   I tried to configure AD as authentication source for 802.1x while the CPPM doesn't join AD domain.     Test failed with authentication failed (no matter which ever method is used, EAP-TTLS, EAP-PEAP, etc.)

 

Found in CPPM User Guide that

"You can join CPPM to an Active Directory (AD) domain to authenticate users and computers that are members of an Active Directory domain. Joining CPPM to an Active Directory domain creates a computer account for the CPPM node in the AD database. Users can then authenticate into the network using 802.1X and EAP methods, such as PEAPMSCHAPv2, with their own their own AD credentials."

 

I wonder if it's a must for CPPM to join AD domain for authentication against AD.

 

Would anyone please help?

 

Thanks and regards

Guru Elite
Posts: 8,011
Registered: ‎09-08-2010

Re: ClearPass 802.1x authentication with AD

Yes, when using any authentication method that involves MSCHAP, you must join ClearPass to the domain.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 1,404
Registered: ‎10-25-2011

Re: ClearPass 802.1x authentication with AD

What if you're using LDAPS to query.
The customer does not want to join CPPM to the domain as it is a security policy.
I was told that it is not absolutely necessary to join it to the domain.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite
Posts: 8,011
Registered: ‎09-08-2010

Re: ClearPass 802.1x authentication with AD

If you're using MS-CHAPv2, you will need to join them to the domain.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 1,404
Registered: ‎10-25-2011

Re: ClearPass 802.1x authentication with AD

Yes we are using MS-CHAPv2.
That's not what I was told unfortunately.

We can query AD using LDAPS and retrieve user information, policies are all setup (basic ones for now).
I am trying to get a better handle on CPPM as it's my first rodeo here.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite
Posts: 8,011
Registered: ‎09-08-2010

Re: ClearPass 802.1x authentication with AD

Yes, that's correct. If joining it to the domain is am issue, then your only option for 802.1X will be EAP-TLS.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 5
Registered: ‎08-02-2015

Re: ClearPass 802.1x authentication with AD

Right, it works after joining domain.  It's also mentioned in CPPM User Guide and seems we've no choice.    Same case when we tested in freeRADIUS+Samba, which is exactly the configuration used on CPPM ;-).

 

Thanks for all of your help.

 

Regards,

/ST Wong

MVP
Posts: 1,404
Registered: ‎10-25-2011

Re: ClearPass 802.1x authentication with AD

Completely understand, EAP-TLS no need for joining the domain.
I did not configure Clearpass, Aruba did and was told it was not necessary but everything else says otherwise, (documentation, community, etc) so i am just trying to understand.
I am going to go back and speak to the guy I am working with for this project.

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 1,404
Registered: ‎10-25-2011

Re: ClearPass 802.1x authentication with AD

Found out that because we were not using AD to authenticate the users, we were instead using LDAPS to do EAP-PEAP - MSCHAPv2, joining the domain was not necessary BUT we after further discussion, we have now joined CPPM to the domain so we can authenticate against AD....my small update
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: