Security

Reply
Contributor II

ClearPass PM fails to join AD Domain

I am trying to add the CPPM to the AD Domain, but always get the following error message (I blanked out my dc name);

 

 

Adding host to AD domain...
INFO - Fetched REALM 'xxx.xxx' from domain FQDN 'dc.xxx.xxx'
INFO - Fetched the NETBIOS name 'xxx'
INFO - Creating domain directories for 'xxx'
INFO - Using Administrator as the DC's username
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain
'xxx.xxx' over rpc: NT_STATUS_CONNECTION_RESET
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'xxx'
ERROR - cp.xxx.xx failed to join the domain xxx.xxx with domain
controller as dc.xxx.xxx
Join domain failed

I've already checked the common ad join errors, but none of those matched. There are no restrictions between the subnet of the CPPM and DC. I also checked if the CPPM is able to resolve the FQDN address and it seems to be able to.

 

[appadmin@cp.xxx.xx]# network nslookup -q host dc.xxx.xxx
unknown query type: HOST
Server:         10.100.1.13
Address:        10.100.1.13#53

Name:   dc.xxx.xxx
Address: 10.100.1.13

DC is on the 10.100.1.0/24 subnet and CPPM is on the 10.100.9.0/24 subnet. No firewall restrictions exist between these 2 subnets. The DC is a Windows Server 2008 R2 and CPPM is running version 6.6.0.81015.

 
Guru Elite

Re: ClearPass PM fails to join AD Domain

Is SMBv1 enabled on your domain controllers?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: ClearPass PM fails to join AD Domain

Hi Tim, our system admin disabled SMBv1 to prevent the recent WannaCry malware.

Guru Elite

Re: ClearPass PM fails to join AD Domain

SMBv1 is required on your domain controllers if you’re going to be using legacy authentication methods like PEAPv0/EAP-MSCHAPv2.

SMBv1 is NOT required on client devices and should be disabled per Microsoft’s 2009 recommendation.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: ClearPass PM fails to join AD Domain

We're not using these legacy authentication methods. So it doesn't matter SMBv1 is disabled in this case?

Guru Elite

Re: ClearPass PM fails to join AD Domain

What network authentication methods are you using on your network?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: ClearPass PM fails to join AD Domain

For ClearPass? I only enabled EAP-TLS.

Guru Elite

Re: ClearPass PM fails to join AD Domain

Then you don't need to domain join.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: ClearPass PM fails to join AD Domain

Oh.. then I just need to add the AD as an authentication source and use it? When would you need to join AD Domain?

Guru Elite

Re: ClearPass PM fails to join AD Domain

Domain join is required for legacy MSCHAP-based authentication methods (PEAPv0/EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, etc).

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: