Security

Reply
Occasional Contributor II
Posts: 36
Registered: ‎04-14-2015

ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

Hi,

 

We have to set up onboard. It is not allowed to join to any domain. We have the option to query the AD's with LDAPS. Is it possible to authenticate against an AD during the onboard pre-auth process? (We know that if we use EAP-PEAP MSCHAPv2, the authentication won't work because we are not joined to a domain)

We also have a question related to authenticate source: what is the difference between generic ldap and active directory?

 

Thank you in advance!

 

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

You will be able to successfully authenticate to AD during the Pre-Onboard process but then once the device tries to connect using 802.1X it will fail as you mentioned because in order to do MSCHAP CPPM needs to be added to the domain.

 

Either ldap or AD can obtain role mapping attributes 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 36
Registered: ‎04-14-2015

Re: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

"but then once the device tries to connect using 802.1X it will fail as you mentioned because in order to do MSCHAP CPPM needs to be added to the domain." - it is not true, because EAP-TLS is supported without joining to a domain..

 

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

That was meant for PEAP/MSCHAP not TLS I thought that was your question .

So if the user needs to initially connect using PEAP/MSCHAP and then onboarded to EAP-TLS you will have an issue.

But if you plan to onboard devices using an Open SSID then your last comment will be valid
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 36
Registered: ‎04-14-2015

Re: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

Yes, we would like to use open SSID :)

 

Could you tell me something about the differences between generic ldap and AD?

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

http://www.differencebetween.net/technology/difference-between-ldap-and-acitve-directory/

I am assuming that what you guys have is Domain Controller / AD , if that's the case you need to use AD as you authentication source.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 36
Registered: ‎04-14-2015

Re: ClearPass Onboard authenticate against AD with LDAPS-query without joining to a domain

Hi Victor,

 

You're right. I've finished the testing, and got the same answer. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: