Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

This thread has been viewed 1 times

  • 1.  ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

    Posted Sep 16, 2015 05:49 AM

    Hi,

     

    We have to set up onboard. It is not allowed to join to any domain. We have the option to query the AD's with LDAPS. Is it possible to authenticate against an AD during the onboard pre-auth process? (We know that if we use EAP-PEAP MSCHAPv2, the authentication won't work because we are not joined to a domain)

    We also have a question related to authenticate source: what is the difference between generic ldap and active directory?

     

    Thank you in advance!

     



  • 2.  RE: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain
    Best Answer

    Posted Sep 16, 2015 09:36 AM

    You will be able to successfully authenticate to AD during the Pre-Onboard process but then once the device tries to connect using 802.1X it will fail as you mentioned because in order to do MSCHAP CPPM needs to be added to the domain.

     

    Either ldap or AD can obtain role mapping attributes 



  • 3.  RE: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

    Posted Sep 16, 2015 09:44 AM

    "but then once the device tries to connect using 802.1X it will fail as you mentioned because in order to do MSCHAP CPPM needs to be added to the domain." - it is not true, because EAP-TLS is supported without joining to a domain..

     



  • 4.  RE: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

    Posted Sep 16, 2015 09:55 AM
    That was meant for PEAP/MSCHAP not TLS I thought that was your question .

    So if the user needs to initially connect using PEAP/MSCHAP and then onboarded to EAP-TLS you will have an issue.

    But if you plan to onboard devices using an Open SSID then your last comment will be valid


  • 5.  RE: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

    Posted Sep 16, 2015 09:59 AM

    Yes, we would like to use open SSID :)

     

    Could you tell me something about the differences between generic ldap and AD?



  • 6.  RE: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

    Posted Sep 17, 2015 07:57 AM
    http://www.differencebetween.net/technology/difference-between-ldap-and-acitve-directory/

    I am assuming that what you guys have is Domain Controller / AD , if that's the case you need to use AD as you authentication source.



  • 7.  RE: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

    Posted Sep 17, 2015 08:07 AM

    Hi Victor,

     

    You're right. I've finished the testing, and got the same answer.