Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎12-01-2014

Onboard with termination to the controller

I'm running into an odd issue. I currently have a single SSID set up that authenticates against 2 different 802.1x sources, and using a rule will assign a different VLAN based on which auth source. This works perfectly. But to do this I had to terminate at the controller. The problem here is that for some reason if I use a separate SSID to onboard devices, and then try to set it up so that they're onboarded to the SSID that is terminated at the controller, it fails to join the network. If i uncheck "termination" on the 802.1x profile, it works perfectly. The second I check that box, it fails to join. I'm assuming this is something to do with the certificate being valid for the clearpass server, but not the controller? I'm out of my element when it gets to certificate stuff.

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Onboard with termination to the controller

So is your goal to have a single SSID or dual SSID onboard scenario?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎12-01-2014

Re: Onboard with termination to the controller

Dual. I have one specifically for onboarding which is a classic onboarding SSID, then a second that the configuration profile is configured to join after provisioned.

 

Occasional Contributor II
Posts: 11
Registered: ‎12-01-2014

Re: Onboard with termination to the controller

The other way I can try to go about it is to add the other radius server as a Radius Proxy service to Clearpass, and then use enforcement rules to assign a VLAN. The problem I'm running into there is that I can't seem to get it to attempt a secondary type of authentication service if it rejects the first one. So depending if i set the Clearpass Service or the RADIUS Proxy service first, it will only attempt to auth there first, and if it gets a reject it won't attempt to auth against the next service in the list.

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Onboard with termination to the controller

[ Edited ]

You might want to:

 

1.  Add ClearPass to both domains

2.  In your service to authenticate 802.1x devices, make sure both domains show up under "authentication sources"

3.  Uncheck termination on the controller, so that the server certificate on ClearPass is what all devices see and trust.

4.  ClearPass should look for an account for an incoming authentication request in the first authentication source, and if it does not exist, move to the second.

5.  You could use the role mapping "if Authentication Source = AD1" then set a role of AD1.  Same thing if it is AD2

6  Later in the Enforcement Policy, you can say if Role=AD1, then send back X enforcement profile with one attribute.  You can also say, if Role=AD2, then send back Y enforcement policy with a different Radius attribute to differentiate between devices that authenticated with each.

 

This is all assuming that ClearPass has a public certificate that both sets of clients trust, and can be used to onboard both.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎12-01-2014

Re: Onboard with termination to the controller

Yeah the problem with that solution is the ability to add CPPM to both domains. Presently due to the control of the DC in the other organization I currently only have the ability to add CPPM as a trusted Radius client, hence the reason for setting up a radius proxy service. It'd be extremely simple if i could just join CPPM into the domain and add it as a second authentication source.

 

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Onboard with termination to the controller

[ Edited ]

I am not confident that there is a way to do it in another way.  Using Radius Proxy, you lose a great deal of flexibility as well as attributes to  make decisions on.  If you are using radius proxy, you cannot check to see if the AD account in the certificate is still active.  You would basically just be distributing certificates but you would not be able to tie them to an AD account in any way.

 

You probably have to have a heart-to-heart talk with the admin of that domain so this can be done properly.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Onboard with termination to the controller

What were their concerns about joining it to the domain? Maybe we can help.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎12-01-2014

Re: Onboard with termination to the controller

Ok they were able to give me a service account with access to the DC. I added this as an authentication source with the correct lookup. However now when I add it as one of the authentication sources to my Service, when i check the Access Tracker it doesn't attempt to auth against that source, it just shows up as blank in the authentication sources. Do I have to join ClearPass to the domain under Server configuration in server manager? If so I'm running into an issue there as well. 

 

I had the server guys here add the IP address of the domain controller on the other network to their local DNS, but when I join using the local DNS record name, it fails with the following message:

 

Adding host to AD domain...
INFO - Fetched REALM 'COMPANYNAME.ORG' from domain FQDN
'posservdc.COMPANYNAME.com'

INFO - Fetched the NETBIOS name 'POSSERV'
INFO - Creating domain directories for 'POSSERV'
Enter clrpath's password:
Failed to join domain: failed to lookup DC info for domain
'POSSERV.ORG' over rpc: Duplicate name on network
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'POSSERV'
ERROR - clearpass1.COMPANYNAME.com failed to join the domain POSSERV.ORG
with domain controller as posservdc.COMPANYNAME.com

Join domain failed

 

What concerns me is the existence of 2 discrete domains, and I'm attempting to use the DNS of one domain, to connect to the DC of another domain.

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Onboard with termination to the controller

1.  Yes you do need to join the domain separately in server manager, yes.

2.  You will then be able to add it as an AD authentication source, and then you will need to point to the ip address of a DC and have a read-only user in LDAP to search for user accounts.

3.  Once you do those two things, you can add the AD authentication source to the list of sources in the service.

 

 

You would need to point Clearpass at a DNS server that can resolve hosts in both domains for this to work properly, yes.  They have to set up their DNS server properly so that it can refer requests for one domain to another on the same DNS server.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: