Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Join Clearpass to specific OU

This thread has been viewed 1 times

  • 1.  Join Clearpass to specific OU

    Posted Aug 06, 2014 02:30 AM

    Hi All,

     

    Any secret back door method allowing me to join CPPM to a specific OU in a domain?

     

    I have a client who has some strict security permissions and we need to specify the OU in order to be allowed to join CPPM to domain.

     

    Scott



  • 2.  RE: Join Clearpass to specific OU

    EMPLOYEE
    Posted Aug 06, 2014 04:50 AM

    Scott,

     

    No secret back door ;-)

     

    Domain joins typically has two parts: the join to do EAP-MSCHAPv2 (not required for TLS) and the LDAP connection to fetch user information (like group membership).

     

    For the domain join, I found two methods that seem to work:

    1) Join the domain in the normal way, then move the created computer account to the OU or folder that you want.

    2) Manually create a computer account with the hostname of the ClearPass server in the desired OU, and then join. If the names between your ClearPass server and the created Computer object in AD match, that object will be used. I have seen situations where local administrators were able to create the computer account in their OU, and then ClearPass could be joined by that administrator.

     

    For the LDAP connection, you can have an account created with read rights on the objects and attributes that you need in your authentication, in many cases that will be the user folders/object and group folders/objects. Use that account in your authentication source. The AD administrators should know how to create such an account.

     

    Herman



  • 3.  RE: Join Clearpass to specific OU
    Best Answer

    EMPLOYEE
    Posted Aug 07, 2014 01:19 AM

    You can not in the GUI but you can in the CLI. I will open a ticket and get it added to the gui. :)

     

    We can do this by using CLI command ad netjoin.

     

    [appadmin@etips150]# ad netjoin

     

    ERROR - Insufficient arguments to proceed

     

    Usage:

        netjoin <domain-controller.domain-name> [domain NETBIOS name] [domain REALM name] [ou=<object container>]

    Where,

        domain NETBIOS name   -- NETBIOS name of the domain.  You can specifiy this arugment if the derived

                                 NETBIOS name is different from the actual. This is an optional argument.

        domain REALM name     -- Domain REALM name.  You can specify this argument

                                 if the derived REALM is different from the actual. This is an optional

                                 argument.

        ou=<object container> -- Specify the Object Container if the computer account has to be created in a different OU.                           

                                 For example 'ou=Domain Computer' OR 'ou=Domain Computer+Linux Hosts'.  Note the usage

                                 of separator '+' to specify the OU hierarchy. 



  • 4.  RE: Join Clearpass to specific OU

    Posted Aug 13, 2014 11:11 PM

    Thanks Troy! thats exactly what i was hoping for.