Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎02-12-2016

Clearpass multiple AD authentication sources EAP-PEAP

Hi,

 

Can someone confirm to me whether it is possible to have 2 AD authentication sources, to 2 different ADs with only one ad join in place. (needs to have a secure connection to both auth sources).  

 

Bearing in mind we're using EAP-TLS within EAP-PEAP.

 

Hope that makes sense.

 

 

Thanks

 

Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Re: Clearpass multiple AD authentication sources EAP-PEAP

It is not clear:

 

You are trying to join two AD sources but your are using EAP-TLS, which is certificate based.  Please explain...

 

If you are trying to use two AD sources from two different AD domains, you need to join both domains....  Again, you are mentioning EAP-TLS...where does that come in?

 

What are you trying to do?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,203
Registered: ‎09-08-2010

Re: Clearpass multiple AD authentication sources EAP-PEAP

Are the domains in the same forest?
Is there a trust between the domains?

Keep in mind that the AD "Authentication Source" is only used for authorization properties with PEAPv0/EAP-MSCHAPV2. The password check is done directly to DCs based on DNS queries or statically configured password servers.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 17
Registered: ‎02-12-2016

Re: Clearpass multiple AD authentication sources EAP-PEAP

Let’s try again:

 

So we currently have Clearpass joined to AD1, for client authentication we are using EAP-PEAP as our outer method and EAP-TLS for the inner. And authorizing to AD1. This work fine.

 

We need to introduce AD2, so we can authenticate separately managed devices and users. The issue is we don’t want to add clearpass to this domain. Can this be achieved?

 

A 1 way trust is in place between the ADs.

Guru Elite
Posts: 8,203
Registered: ‎09-08-2010

Re: Clearpass multiple AD authentication sources EAP-PEAP

If there is a trust, yes, you can authenticate users from the other domain.



One thing to keep in mind is you'll want users to be authenticating with
their UPN. Otherwise you'll run into issues if a user has the same username
in both domains.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 17
Registered: ‎02-12-2016

Re: Clearpass multiple AD authentication sources EAP-PEAP

Thanks!

 

Does it matter what way the trust needs to be?

 

 

Guru Elite
Posts: 8,203
Registered: ‎09-08-2010

Re: Clearpass multiple AD authentication sources EAP-PEAP

It greatly varies on the domain/forest structure. Please take a look here:



https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: