Security

Hi,

 

I try to implement Operator Login to ClearPass Guest via LDAP authentication.

I configured the LDAP Server for Operator Logins, but when I test with a user it failes with following error:

 

"LDAP Bind failed: Can't contact LDAP server (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)), bind DN was: cn=<ldapTechUsername>,ou=<xyz>,ou=Users,ou=<xyz>,dc=<xyz>,dc=<xyz>"

 

I also have implemented a operator login via ClearPass Policy Manager with a Service and the LDAP Server as Source. I only had to enable the trust for the CA that signed my LDAP Server and it works, but when I want to implement Operator Login on the ClearPass Guest as documented in the Design Guide it will fail because of a Cert validity error.

My LDAP Server Certificate ist Signed via a subordinate CA, I trus the whole tree (Root CA and Sub CA) in CPPM.

 

I use CPPM Version 6.2.0.54353 with an eval license, my LDAP server is a Win2k8 Domain Controller.

 

Maybe is there a need to trust the CA in ClearPass Guest ?

Any Suggestions ?

 

Thanks and best regards

Alois

Can you double check your settings. Here is an example of my connection.

 

 

Hi, Thank's for reply.

 

I double checked my settings. They look like yours with some minor differences.

 

But I use secure ldap (ldap over ssl) so I get the error before it comes to any authentication or ldap search.

I got an error because of ClearPass Guest ist unable to verify the ldap server certificate. I don't found any configuration to insert my trusted certificates for ClearPass Guest. For ClearPass Policy Manager I can insert my trusted root CA certificates, but it seems CPPM and CP-Guest do not use the same trustlist of certificates, because of the error in ClearPass Guest.

 

I can not test ldap only (no secure ldap) because it ist not allowed in our environment. But secure ldap with CPPM works.

If ClearPass Guest does not support secure ldap with my private certificate trustlist, maybe there will be any workaround to use CPPM authentication service for user role "Receptionist and Front Desk" ? By now If I configure it that way I get the auth for receptionist, but I loose the access for administration on ClearPass Guest. So I thought I have to simplify and configure the auth on the ClearPass Guest application but that fails.

 

Thank's and best regards

Alois

Try going into management and control under the guest side. click on view by certificate and upload the cert there also. Make sure you add the trust chain if there is one.

I uploaded my trusted certificates to ClearPass Guest, but I found only the upload for certificates in menu Onboard + WorkSpace > Management and Control > View by Certificate > Upload a trusted Certificate.

Do you have a Management and Control in menu Guest ?

 

Certificate upload works well, also the trust chain works well.

But I still get the error for the Operator login "...certificate verify failed..."

 

Best regards

Alois

Found the bug in the relase notes of the new 6.3 CPPM Version:

 

BugID 19033

Corrected an issue where connecting to an LDAP server from Guest failed with an error such as ‘certificate verify failed (unable to get local issuer certificate)’. SSL connections to LDAP servers from Guest will now use the CPPM Trust List to verify the identity of the LDAP server. Note that for correct validation of the LDAP server’s identity, all certificates from the LDAP server – including the server’s certificate, any intermediate certificates and the root CA certificate – must be present in the CPPM trust list.

 

I will contact my sales representative to get the newer version for eval.

 

Thanks and best regards

Alois