Security

Reply
New Contributor
Posts: 2
Registered: ‎04-25-2012

ClearPass Policy Manager connecting to Apple LDAP

Hello All,

 

I am in the process of deploying an Aruba ClearPass Policy Manager and the client currently does not have an Active Directory Domain they use Apple OS X Server running Open Directory for user Authentications.  I have been trying to get the binding to the Open Directory using Generic LDAP configuration for 802.1x authentications on the new Aruba wireless network I have deployed.  Now I have configured the hostname which is the FQDN of the primary Apple Server,  setup the bind DN as the UID for the diradmin and its password.

 

Now I have used an LDAP Browser and connect right away from my laptop.  The ClearPass server with the same settings cannot.  Can someone tell me what I am doing wrong?

 

If more information is needed I can supply.

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: ClearPass Policy Manager connecting to Apple LDAP

Did you put in the full DN of the bind user?  For example, CN=diradmin,dc=appleldap,dc=com (fill in with the proper DN).

 

Also, you mention that you are using the FQDN of the Apple server.     Is ClearPass configured with DNS servers?  Have you tried using the IP address instead?   

 

Please provide a screen shot of the primary LDP connection details screen.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

New Contributor
Posts: 2
Registered: ‎04-25-2012

Re: ClearPass Policy Manager connecting to Apple LDAP

Ok so I got in touch with TAC about this.  I have the ClearPass server registered with DNS which is the actual server that is running the Open Directory also.  

 

The TAC engineer was able to get the bind to work using the IP address instead, Not sure why I didn't try this.  But it seems that they are still not communicating correctly for 802.1x authentications using EAP-MSCHAPV2, PAP, or most of the others and it seems that Open Directory 2.4 (I believe this was the version) was never tested and they have escalated this and are finding out if they can get this to work.

Aruba
Posts: 113
Registered: ‎11-21-2011

Re: ClearPass Policy Manager connecting to Apple LDAP

You might also want to try using LDAP v3.  Use ldap3:// in the bind URL (or ldap3s:// if you are using SSL).

Aruba Employee
Posts: 4
Registered: ‎05-31-2012

Re: ClearPass Policy Manager connecting to Apple LDAP

Please make sure password attribute is exposed from Apple LDAP to perform PEAP/MSCHAPv2. Else, you might have to resort to PAP authentication.  On any failures you can collect CPPM logs and send it to support alias for analysis. 

New Contributor
Posts: 1
Registered: ‎03-30-2011

Re: ClearPass Policy Manager connecting to Apple LDAP

A bit late to help the OP, but the only way to do PEAP/MSCHAPv2 authentication to Open Directory is by enabling the Apple RADIUS server on the Open Directory server and authenticating against that. OD doesn't expose passwords over LDAP.
Occasional Contributor II
Posts: 10
Registered: ‎07-08-2012

Re: ClearPass Policy Manager connecting to Apple LDAP

Hi All,

 

We are trying to do a dot.1x authentication where we have added the Microsoft AD LDS (LDAP) as authentication Source. We have not added the CPPM to any of the Active Directories...

 

When we try to do a user authentication, we are getting an error MSCHAPv2 :  authentication failure

 

AD LDS will not expose the password attribute, however it will validates the password with the actual AD... (Proxy Authenticaton)

 

Can anyone help us in this ...

 

Regards

Mohammed Mukram

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: ClearPass Policy Manager connecting to Apple LDAP

Did you join the CPPM to the domain

Thank you
Troy Arnold
tarnold@arubanetworks.com
Sent from my iPad
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 10
Registered: ‎07-08-2012

Re: ClearPass Policy Manager connecting to Apple LDAP

Thanks Arnold for your quick response.

 

As I said, we are using Microsoft AD LDS (Which is an LDAP Server), I have not joined the CPPM to the AD.

 

however, the customer has created has added the CPPM hostname in their domain controller...

 

I hope, i have answered your question..

 

Regards,

Mohammed Mukram

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: ClearPass Policy Manager connecting to Apple LDAP

If you want to do MSCHAPv2 against an AD even if its a light weight AD then you must join the AD through CPPM.

 

** Im not an AD expert ** :)

 

But I don't believe that by just adding the hostname to the domain you will be able to authenticate against it. :smileysad:

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: