Security

Reply
Super Contributor II
Posts: 349
Registered: ‎02-22-2011

ClearPass - Query across forest

Hi All,

 

I am helping a customer with an implementation and we have a setup where they have a rather large forest with many domains which we want to query using CPPM for MSCHAP authentication. 

 

Assuming the root of the tree is root.domain, we have the CPPM joined to xxx.root.domain and can lookup users but not query any from yyy.root.domain. 

 

I have tried setting up the AD source to use the global catalog for the domain (not sure if this is right but i'm just trying different things) and this lets me see the users in yyy.root.domain but when i try authentication it fails. 

 

Looking at the debug logs i can see that the search of the UPN in the remote domain is correct and returns a user however it then progresses to authentication but uses the sAMAccountName attribute as the authenticator (withour a domain prefix) and this fails authentication presumably because it doesn't contain the domain name of the user. 

 

I recall in early Amigopod days there was a setting "with_ntdomain_hack" that did something to manipulate how the username was formatted. 

 

Is this still relevant in CPPM or am i off on the wrong path. 

 

What i'd like to achieve is AD authentication across the whole forest using MSCHAP without having to join the root / parent domain (we can't do this for political reasons as the root domain comes under the admin of another area who aren't flexible).

 

Our service account in the xxx.root.domain is apparently allowed to query all domains (we can browse the yyy.root.domain  using clearpass) and we are able to join the subdomain no problems. 

 

I'm feeling that the answer may simply be to join the root domain however my AD knowledge isn't what i'd like it to be...

 

Scott

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: ClearPass - Query across forest

Have you tried adding the other domains as password servers under the Server Configuration ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: ClearPass - Query across forest

Under the ClearPass "help":

 

"There is no need to join CPPM to multiple domains belonging to the same AD forest because a one-way trust relationship exists between these domains. In this case, you join CPPM to the root domain." ---  That is the anwer.

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 25
Registered: ‎07-01-2014

Re: ClearPass - Query across forest

From what I have seen and TAC conformed, Colin is correct with a caveat.  You only need to join CPPM to the root domain, but you must create an authentication source (type of Active Directory) for each of the sub-domains.

Super Contributor II
Posts: 349
Registered: ‎02-22-2011

Re: ClearPass - Query across forest

Thanks everyone for the responses, i think i'm going to have to start using the CPPM help pages more as it seems there is a lot of good info there!

 

I'll try joining to the root domain and see how that goes.

 

Victor,

 

I have seen the option for the password servers but isn't that just to force auth against a specific server within that domain?

 

Scott

Super Contributor II
Posts: 349
Registered: ‎02-22-2011

Re: ClearPass - Query across forest

For the benefit of anybody else trying to do this. There is a very very good summary and workaround documented here:

 

https://afp.arubanetworks.com/afp/index.php/Active_Directory

 

 

This is listed as partner only content so i don't want to paste here in case that violates any rules. Any aruba people who could advise otherwise may be able to paste content?

 

Scott

Search Airheads
Showing results for 
Search instead for 
Did you mean: