Security

I was trying to set this up like we did on our Clearpass Guest class but im unable...

Do we have to do somethign on the AD to make this work?

Im trying this on the Clearpass Server

Server URL:ldap://172.16.3.31/ou=Users,ou=Grupos_Usuarios,dc=abc,dc=local

bind dn = putting a user with domain administrative rights

bind password= the password of that user

i get this error

LDAP Bind failed: Invalid credentials (80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0), bind DN was: cdelarosa

do i need to activate something on the AD to make this work? or i need  soemthign else?

"AcceptSecurityContext error, data 52e" means: invalid credentials.  This means your username or password is incorrect.

If you are sure your password is correct, try specifying the DN of the bind user, instead of just the username.

You mean like this?

CN=cdelarosa,CN=Users,CN=Colaboradores,DC=abc,DC=local

the user is cdelarosa

its contained on

Users

Sub OU = Colaboradores

The domain is abc.local

Im sure the pasword is correct... i even copy and pasted it to be sure i was typing it correctly

Error

LDAP Bind failed: Invalid credentials (80090308: LdapErr: DSID-0C0903C5,
comment: AcceptSecurityContext error, data 52e, v23f0), bind DN was:
CN=cdelarosa,CN=Users,CN=Colaboradores,DC=abc,DC=local

Are you using any special characters in the password... :;>)+ there was a known issues with binding with a special character.  Try using a simple password and see if the fixes the issue

From the Release Notes

"Domain join operations will fail if the domain password contains special characters such as a space,

quotes, or a “$” symbol."

Hello Arnold i already tried that...

My password had a dot  i mean .

i made a new user without any character in the password didnt work either...

The configuration doesnt seems to be hard

On the server URL

ldap://172.16.3.31/ou=Users,ou=Grupos_Usuarios,dc=abc,dc=local

Thats the ip of the domain controller

Users is the OU that contain the group of the operators i designed which is cpoperators, inside that group my username is the one that belongs to that group

now on the BN

CN=cpoperator,CN=Users,DC=abc,DC=local

cpoperator is the user im using to authenticate,  it is inside the ou Users in the domain abc.local

Isnt that correct?

I am missing something?

I could even join to the domain with no issue with my user name...

Maybe you need "OU=Users" rather than "CN=Users" ?

Check your DN very carefully.

I got it correctly on the amigopod server i just made a typo when i was putting the message...

So thats not it :(

You were right Amigodave

The guy on the tac did a dsquery  which solve it

But it was not that i was putting the wrong DN because i was putting my user name as my login name like cdelarosa

Instead it was Carlos De La Rosa

CN=Carlos De La Rosa,OU=Colaboradores,OU=Users,DC=abc,DC=local

I was using

CN=cdelarosa,OU=Colaboradores,OU=Users,DC=alternetworks,DC=local

At the end was this last thing my bad! i should have checked with dsquery.

Anyways Thanks Amigodave

Thanks tarnold for quoting the release notes to us -- I hadn't noticed that line.

Banged my head for a day before I though to look for an authentication error from CP to AD.