Security

Reply
MVP

Clearpass - two AD domains in the same service

Hello!

 

First time for everything right? I have a SSID that needs to authenticate to two different AD's.

 

I have CPPM joined to both AD domains, and have one service with both of these as Auth Source.

 

The issue I face is that the same username exists in both AD's and it seems that the auth source ignores the domain I add to the username.

 

domain1\username1

domain2\username1

 

If I try domain2\user1 it results in a failed auth from domain1 and deny the user to log in.

 

I find this in the access tracker (modified names..)

 

rlm_ldap: searching for user domain2\username1 in AD:domain1
rlm_ldap: found user domain2\username1 in AD:domain1
....
rlm_eap_mschapv2: Received MSCHAPv2 Response from client
rlm_mschap: authenticating user username1, domain domain2
rlm_mschap: user username1 authentication failed
rlm_mschap: AD status:Logon failure (0xc000006d)
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 Why would it even look for the user in domain1 when I explicitly prefix the username with domain2? Does this imply some sort of trust between the domains?

 

Is there a fail-through mechanism or any other mechanism I should look at to get around this?

 

I don't really see another way to solve this so I need some assistance from you guys.

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!

Re: Clearpass - two AD domains in the same service

How do you have configured as backup AD server or as new authentication source ?

 

Please read this:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/What-is-the-best-way-to-authenticate-users-via-multiple-domains/ta-p/181644

 

A couple of things:

- You could decrease the Server Timeout to a lower value (You may want to verify this with TAC)

 

- Another that you might need to is that if theres no trust between the two entities you might want to add the second domain server as Password server 

2015-02-04 06_47_31-ClearPass Policy Manager - Aruba Networks.png

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP

Re: Clearpass - two AD domains in the same service

Thanks Victor. I'll check out that page.

 

While waiting I ended up just creating a second service and added a test for the name of the domain in the radius:ietf:user-name. It gets the job done so I'm happy for now.

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: