Security

Reply
Contributor I

LDAP/AD Server Unreachable from CPPM support fail open?

Hi Aruba expert,

 

We have a scenario where the CPPM is deployed in the remote site and all authentication source such as AD/LDAP Server is in the Data Center site.

 

what if CPPM was unable to connect to  LDAP or AD Server due to WAN LINK failure will clearpass be able to trigger fail open that will instruct the switch to trigger critical vlan incase of LDAP/AD Server unreachable from the CPPM?

 

Thanks

 

Guru Elite

Re: LDAP/AD Server Unreachable from CPPM support fail open?

Whether there is a "fail open" situation is more dependent on the NAS device that authenticates to CPPM.  CPPM itself does not have a "fail open" option for authentication.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: LDAP/AD Server Unreachable from CPPM support fail open?

Also, keep in mind that most of our products support auth survivability in the latest versions. Check the release notes and user guides.

 

More importantly, I would question why you are placing a ClearPass server at a site and not an additional AD server? The fact that you need ClearPass there tells me that you either expect this link to go down or the link has high latency. If it is the latter, you will need an AD server there as well as ClearPass, otherwise RADIUS authentications will time out while we wait for a response from AD. This is not a fault of our products but is based on how Apple and Microsoft implement the 802.1x supplicant. There is a time limit upon which no response will cause a new 802.1x auth attempt.

 

A safe number is 100ms or less latency.

Thanks,

Zach Jennings
Contributor I

Re: LDAP/AD Server Unreachable from CPPM support fail open?

Hi cjoseph/zjennings

 

Thanks in advance. I understand the fail-open is dependent to NAS device and for what I understand in Authentication Survivability, if CPPM is not available which means NAS unable to reach clearpass the user can still authenticate to the NAS device via eap-peap which is good for wireless deployment with CPPM.

 

My question if CPPM was located in remote sites and authentication source is coming from the WAN link and doesn’t have a backup Active directory server in the remote site. Worst case scenario there is a WAN link failure. This means the NAS device still able to communicate to the CPPM but CPPM has lost its connection to the AD Server. can clearpass some how tell to the switch to trigger the fail-open/critical vlan even there is a reachability between CPPM and the NAS device?

 

 

Aruba Employee

Re: LDAP/AD Server Unreachable from CPPM support fail open?

No, that is not possible. Failure to authenticated (even due to AD being down) will send a RADIUS Reject.

However, you could OnBoard the devices and disable Authorization in the EAP-TLS method. This would allow those devices to continue authenticating without AD.

Or offer a PSK SSID with MAC auth for times when the WAN link goes down. We could use a custom SQL query to determine if the device successfully authenticated to the 802.1x SSID in the past X hours.

Just a thought.
Thanks,

Zach Jennings
Contributor I

Re: LDAP/AD Server Unreachable from CPPM support fail open?

well noted. thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: