Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass LDAPS to self signed AD

This thread has been viewed 0 times

  • 1.  Clearpass LDAPS to self signed AD

    Posted Aug 20, 2014 05:28 PM

    I'm having trouble authenticating against an AD server that has a self signed CA.  I was able to import the cert, but I still fail.   I see an "unknown CA" error during the TLS negotiation between the Clearpass and AD server.

     

    Is this a non-starter with Clearpass?   And...before everyone flags the security (or lack thereof) of using a self signed cert....we're testing prior to going in production with a true cert.



  • 2.  RE: Clearpass LDAPS to self signed AD

    Posted Aug 20, 2014 05:32 PM
    You have to export the cert and install it on your laptop since the laptop doesn't have the root ca


  • 3.  RE: Clearpass LDAPS to self signed AD

    EMPLOYEE
    Posted Aug 20, 2014 05:36 PM
    You also need the ad root cert in clearpass's trust list


  • 4.  RE: Clearpass LDAPS to self signed AD

    EMPLOYEE
    Posted Aug 20, 2014 06:00 PM

    This is solely between ClearPass and AD. You don't need to do anything to clients.

     

    Since it is a self-signed certificate, upload the AD certificate here:

     

    ceritifcate-trust-list.PNG

     

    If its signed by an internal MS ADCS certificate authority, upload the private root CA.



  • 5.  RE: Clearpass LDAPS to self signed AD

    Posted Aug 21, 2014 08:58 AM

    Thanks Tim.

    I have limited access to the server, so I uploaded the cert they said the LDAP server is using in the trust list...it's enabled and trusted.

    I still throw an unknown CA error in a wireshark trace, so that means I was given the wrong cert...or I have a mismatch between cert and dns name.