Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎04-19-2015

Clearpass LDAP against ReadOnly Domain Controller - user not found "search failed - referral"

Hi Airheads,

I'm having issues with a Clearpass and Aruba Instant deployment for a customer. We are configuring TLS authentication in an Active Directory environment, the customer is security has concerns and has placed clearpass in their DMZ. The domain controllers they have provided are ReadOnly and also in the DMZ. I have setup LDAP sources which point to the RO DCs. I have double checked the certificates and they seem fine. Clearpass is not connected to the domain yet and I don't believe it is required for TLS.

I am getting an error on CPPM when a user connects: CPPM error code 201, ldap <DC IP> "search failed - referral". Followed by a cannot find user error. I've never seen this before or had issues with TLS before. Wondering if anyone can help me out, google isn't returning much. Next point of call is a support call.

I was reading another post about issues with Read Only Domain Controllers, not sure if it's related?

I'll provide more details tomorrow..

Richard
MVP
Posts: 992
Registered: ‎04-13-2009

Re: Clearpass LDAP against ReadOnly Domain Controller - user not found "search failed - referra

The default EAP-TLS authentication in CPPM performs a user lookup. CPPM needs to be joined to the domain to achieve this as far as I'm aware.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 520
Registered: ‎05-11-2011

Re: Clearpass LDAP against ReadOnly Domain Controller - user not found "search failed - referra

You only have to join CP to the domain if you're doing MsChap - which most commonly means EAP-PEAP. Should not be an issue with EAP-TLSso the deployment should be fine.

 

So - is this is a new deployment? It's not something that has worked, and then stopped? You successfully browse the AD-tree through the source view?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor II
Posts: 18
Registered: ‎04-19-2015

Re: Clearpass LDAP against ReadOnly Domain Controller - user not found "search failed - referra

Hi jsolb, thats correct we didn't need CP joined to the domain. It turned out to be a typo in the base DN, which took along time to find! After this was fixed everything worked as expected. The functionality of the RODC seems to be the same as a normal DC which is good, I was worried that was the cause. Before it was fixed I was able to click and search the tree in CP which was what threw me initially because everyone said to try that to test! (it doesnt test if your base DN is wrong!!)

 

Lesson: if you get an LDAP referal, check the base DN! 

Search Airheads
Showing results for 
Search instead for 
Did you mean: