07-07-2014 05:43 PM
I am helping a customer with an implementation and we have a setup where they have a rather large forest with many domains which we want to query using CPPM for MSCHAP authentication.
Assuming the root of the tree is root.domain, we have the CPPM joined to xxx.root.domain and can lookup users but not query any from yyy.root.domain.
I have tried setting up the AD source to use the global catalog for the domain (not sure if this is right but i'm just trying different things) and this lets me see the users in yyy.root.domain but when i try authentication it fails.
Looking at the debug logs i can see that the search of the UPN in the remote domain is correct and returns a user however it then progresses to authentication but uses the sAMAccountName attribute as the authenticator (withour a domain prefix) and this fails authentication presumably because it doesn't contain the domain name of the user.
I recall in early Amigopod days there was a setting "with_ntdomain_hack" that did something to manipulate how the username was formatted.
Is this still relevant in CPPM or am i off on the wrong path.
What i'd like to achieve is AD authentication across the whole forest using MSCHAP without having to join the root / parent domain (we can't do this for political reasons as the root domain comes under the admin of another area who aren't flexible).
Our service account in the xxx.root.domain is apparently allowed to query all domains (we can browse the yyy.root.domain using clearpass) and we are able to join the subdomain no problems.
I'm feeling that the answer may simply be to join the root domain however my AD knowledge isn't what i'd like it to be...
Solved! Go to Solution.
07-08-2014 06:11 AM
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
07-08-2014 06:18 AM
Under the ClearPass "help":
"There is no need to join CPPM to multiple domains belonging to the same AD forest because a one-way trust relationship exists between these domains. In this case, you join CPPM to the root domain." --- That is the anwer.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
07-08-2014 09:21 AM
From what I have seen and TAC conformed, Colin is correct with a caveat. You only need to join CPPM to the root domain, but you must create an authentication source (type of Active Directory) for each of the sub-domains.
07-08-2014 04:42 PM
Thanks everyone for the responses, i think i'm going to have to start using the CPPM help pages more as it seems there is a lot of good info there!
I'll try joining to the root domain and see how that goes.
I have seen the option for the password servers but isn't that just to force auth against a specific server within that domain?
07-10-2014 12:07 AM
For the benefit of anybody else trying to do this. There is a very very good summary and workaround documented here:
This is listed as partner only content so i don't want to paste here in case that violates any rules. Any aruba people who could advise otherwise may be able to paste content?