Security

Hi Airheads,

I'm having issues with a Clearpass and Aruba Instant deployment for a customer. We are configuring TLS authentication in an Active Directory environment, the customer is security has concerns and has placed clearpass in their DMZ. The domain controllers they have provided are ReadOnly and also in the DMZ. I have setup LDAP sources which point to the RO DCs. I have double checked the certificates and they seem fine. Clearpass is not connected to the domain yet and I don't believe it is required for TLS.

I am getting an error on CPPM when a user connects: CPPM error code 201, ldap <DC IP> "search failed - referral". Followed by a cannot find user error. I've never seen this before or had issues with TLS before. Wondering if anyone can help me out, google isn't returning much. Next point of call is a support call.

I was reading another post about issues with Read Only Domain Controllers, not sure if it's related?

I'll provide more details tomorrow..

Richard

The default EAP-TLS authentication in CPPM performs a user lookup. CPPM needs to be joined to the domain to achieve this as far as I'm aware.

You only have to join CP to the domain if you're doing MsChap - which most commonly means EAP-PEAP. Should not be an issue with EAP-TLSso the deployment should be fine.

 

So - is this is a new deployment? It's not something that has worked, and then stopped? You successfully browse the AD-tree through the source view?

Hi jsolb, thats correct we didn't need CP joined to the domain. It turned out to be a typo in the base DN, which took along time to find! After this was fixed everything worked as expected. The functionality of the RODC seems to be the same as a normal DC which is good, I was worried that was the cause. Before it was fixed I was able to click and search the tree in CP which was what threw me initially because everyone said to try that to test! (it doesnt test if your base DN is wrong!!)

 

Lesson: if you get an LDAP referal, check the base DN!