Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass PM fails to join AD Domain

This thread has been viewed 39 times

  • 1.  ClearPass PM fails to join AD Domain

    Posted May 17, 2017 10:08 AM

    I am trying to add the CPPM to the AD Domain, but always get the following error message (I blanked out my dc name);

     

     

    Adding host to AD domain...
INFO - Fetched REALM 'xxx.xxx' from domain FQDN 'dc.xxx.xxx'
INFO - Fetched the NETBIOS name 'xxx'
INFO - Creating domain directories for 'xxx'
INFO - Using Administrator as the DC's username
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain
'xxx.xxx' over rpc: NT_STATUS_CONNECTION_RESET
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'xxx'
ERROR - cp.xxx.xx failed to join the domain xxx.xxx with domain
controller as dc.xxx.xxx
Join domain failed

    I've already checked the common ad join errors, but none of those matched. There are no restrictions between the subnet of the CPPM and DC. I also checked if the CPPM is able to resolve the FQDN address and it seems to be able to.

     

    [appadmin@cp.xxx.xx]# network nslookup -q host dc.xxx.xxx
unknown query type: HOST
Server:         10.100.1.13
Address:        10.100.1.13#53

Name:   dc.xxx.xxx
Address: 10.100.1.13

    DC is on the 10.100.1.0/24 subnet and CPPM is on the 10.100.9.0/24 subnet. No firewall restrictions exist between these 2 subnets. The DC is a Windows Server 2008 R2 and CPPM is running version 6.6.0.81015.

     


  • 2.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted May 17, 2017 10:10 AM
    Is SMBv1 enabled on your domain controllers?


  • 3.  RE: ClearPass PM fails to join AD Domain

    Posted May 17, 2017 10:24 AM

    Hi Tim, our system admin disabled SMBv1 to prevent the recent WannaCry malware.



  • 4.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted May 17, 2017 10:39 AM
    SMBv1 is required on your domain controllers if you’re going to be using legacy authentication methods like PEAPv0/EAP-MSCHAPv2.

    SMBv1 is NOT required on client devices and should be disabled per Microsoft’s 2009 recommendation.


  • 5.  RE: ClearPass PM fails to join AD Domain

    Posted May 17, 2017 10:44 AM

    We're not using these legacy authentication methods. So it doesn't matter SMBv1 is disabled in this case?



  • 6.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted May 17, 2017 10:47 AM
    What network authentication methods are you using on your network?


  • 7.  RE: ClearPass PM fails to join AD Domain

    Posted May 17, 2017 10:51 AM

    For ClearPass? I only enabled EAP-TLS.



  • 8.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted May 17, 2017 10:53 AM
    Then you don't need to domain join.


  • 9.  RE: ClearPass PM fails to join AD Domain

    Posted May 17, 2017 11:14 AM

    Oh.. then I just need to add the AD as an authentication source and use it? When would you need to join AD Domain?



  • 10.  RE: ClearPass PM fails to join AD Domain
    Best Answer

    EMPLOYEE
    Posted May 17, 2017 11:49 AM
    Domain join is required for legacy MSCHAP-based authentication methods (PEAPv0/EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, etc).


  • 11.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted Jul 21, 2017 05:48 AM

    Hi Tim,

     

    And in cases that we need the MSCHAPv2 because of the iPhones?

    Is anyaway of force the clearpass in use GTC or remove the MSCHAP from clearpass?

    Thank you.



  • 12.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted Jul 21, 2017 06:11 AM

    Hi ,

     

    Most of the client device vendors does not support EAP-GTC protocol, example window devices.I think Andriod supports GTC.

     

    if you have devices which supports GTC then you dont need to join CPPM to AD domain but if you have windows which support EAP-PEAP/MSCHAPv2 then need to join.

     

    below link provides deails, why we need to join CPPM to AD domain.

    https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/29092/1/Airheads%20Webinar_Clearpass_Domainjoin.pdf

     

    Regards,

    Pavan

    if my post addresses your query give kudos:)



  • 13.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted Jul 21, 2017 06:27 AM

    Hi Pavan,

     

    I will try to be more explicite and sorry my lack of knowlodge,

    This happened because was removed the SMBv1 protocol from the server to avoid the recent malware contagious. Since the ClearPass was configured to use the MS-CHAP and MS-CHAPv2 authentication methods that use the SMBv1 protocol, it could not authenticate users through Active Directory.

     

    The solution/workaround was changed the authentication settings in ClearPass to TLS, and on the wireless network we changed the authentication order for TLS and TTLS to take precedence over CHAP, MS-CHAP and MS-CHAPv2.

     

    Everything works fine in micrsoft, android but in iOS since you can't choose the protocol it always goes looking the MSCHAPv2 insted of GTC.

    It's possible to force, do something in clearpass?

    It was tell me that a new release will be provided to support SMBv2/v3 in next 30 days but now, it is a workaround we can do?

    Thank you



  • 14.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted Jul 21, 2017 07:38 AM
    You don't need GTC if you're using EAP-TLS. Apple devices require a configuration profile to use EAP-TTLS.


  • 15.  RE: ClearPass PM fails to join AD Domain

    EMPLOYEE
    Posted Jul 26, 2017 04:49 PM

    Update: SMBv2 and SMBv3 support is available via a hotfix for ClearPass 6.6.7

     

    http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873