Security

Is there a way to have Clearpass make LDAP query to  a group of ActiveDirectory servers instead of a single server INSIDE of clearpass.  I could buy a load balancer or have different AP groups be routed to different LDAP sources but is there a better way to not have a large load kill a single LDAP server?

 

 

Instead of an ip address or a fqdn, you could just put the domain in the Hostname parameter.

 

 

 

 

 

I did put in just the domain only, but it appeared to only hit the first server on the list.  How long does it take to switch between the servers?

How can you tell which server it is using?

What "list"?  Do you have multiple servers in the Authentication Source?  You only need one.

We only have the one listed, but from the AD logs it appeared to only hit 1. Should a single client hit a different server every time he auths, or should they hit a different server each time?   

 

 

It probably uses the same server for the same user.  Please see the thread here:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Many-authentication-sources/td-p/80128

We just worked with a clearpass engineer on a P1 case, and it was determined that when you join to the domain, it will send ALL mschap authentications to the DC you used when joining to the domain. It does NOT round robin. Only when that DC becomes unresponsive will clearpass query DNS, find another DC, and then stay sticky with that one until IT becomes unresponsive.

Clearly, this is an inconvenience. The passwd CLI option is to make the fail-through deterministic rather than relying on thoe "randomness" of querying the domain for DCs.

I'm doing a change tonight to unjoint/join to DCs in an effort to balance load from all subscribers to all DCs.

FYI, as it took quite a bit of effort to lead us to this conclusion.

Thanks Ryan,   Yea that is a bummer.  I will either create a few different auth groups based on location, or mac address (1-5,6-a,b-f) and have each go to a different  server.   It would be nice if they did a more distributed load.   I just placed all my campus on Clearpass and I see only 1 AD server getting hammered.  

---

@mattjhughes wrote:

Thanks Ryan,   Yea that is a bummer.  I will either create a few different auth groups based on location, or mac address (1-5,6-a,b-f) and have each go to a different  server.   It would be nice if they did a more distributed load.   I just placed all my campus on Clearpass and I see only 1 AD server getting hammered.  

---

Mattjhughes,

 

If you wanted to do that, you would instead setup a number of specific  radius servers in your environment and set them up as Proxy Targets:

 

You would then create a radius Proxy Service and set your scheme to load balance:

 

You would have to setup a radius server service (IAS, NPS) on whatever of your internal servers you want authentication proxied to.

 

You can use role mapping based on incoming attributes or attributes received from your Radius server and in turn send back an enforcement policy.

 

So tl;dr, point to the ClearPass server with the Radius Proxy service configured and it will load balance it to your Radius Servers.

 

I see what you are saying with the proxy server, but to me the idea of having to create other radius servers seems crazy since that is what we bought clearpass for. Additional configuration for passing ldap attributes, added points of failure.   I  just would think this would be an obvious feature, to be able to have a list of servers and have it rotate.   As a stop gap we have a load balancer in the middle and are testing with that, but kind of disappointing. 

+1. Well said.

---

@mattjhughes wrote:

I see what you are saying with the proxy server, but to me the idea of having to create other radius servers seems crazy since that is what we bought clearpass for. Additional configuration for passing ldap attributes, added points of failure.   I  just would think this would be an obvious feature, to be able to have a list of servers and have it rotate.   As a stop gap we have a load balancer in the middle and are testing with that, but kind of disappointing. 

---

mattjhughes,

 

If you want to use a load balancer, you will still need to create the individual radius instances behind it, but it at least will provide you the type of load balancing that you require.  I am not sure this is a way around that.

 

The TCP load balancer is in between the clearpass and the AD servers  rotating which AD server gets the LDAP request from clearpass.   That is the current dev configuration I am running.  I have no desire to run more freeradius servers and have no XP on Microsoft NPS.  The radius server I want to run is Clearpass.   But I could see that may be a viable option for people who have NPS already running I suppose. 

 

 

---

@mattjhughes wrote:

The TCP load balancer is in between the clearpass and the AD servers  rotating which AD server gets the LDAP request from clearpass.   That is the current dev configuration I am running.  I have no desire to run more freeradius servers and have no XP on Microsoft NPS.  The radius server I want to run is Clearpass.   But I could see that may be a viable option for people who have NPS already running I suppose. 

 

 

---

Ok,

 

So you want to loadbalance the LDAP connections?  The from ClearPass, theMSCHAP connections (username and password authentications) occur over samba/Winbind and not over LDAP.  The LDAP connections  that do occur happen over the LDAP ports to obtain user attributes or to see if a user exists, but once a lookup for a user occurs, it is cached for a certain amount of time  and is not done again within that period.  In other words, multiple authentications can occur over samba/Winbind, but only a single LDAP lookup occurs for attributes. 

 

 

FYI - If you're doing PEAP/MSCHAP, it won't use the LDAP calls from 'Authentication source' but rather the domain (specifically the domain controller) you joined under 'server configuration'.

- Ryan -

That explains alot,  I feel like I have learned alot but most of what I learned is that I don't have a great solution :(  Looks like i will need to read up on Microsoft NPS for the auths at least. Thanks both for all the help.