Security

Reply
Occasional Contributor II
Posts: 87
Registered: ‎11-27-2014

Recommended authentication source (AD or LDAP)

Hi

 

We are currently working on a project to replace a legacy Cisco ACS solution with a Clearpass solution for our corporate wireless authentication. Currently our security leaves a little to be desired and as such we want to address this with the Clearpass solution. Our current Cisco ACS solution makes use of an LDAP repository (it queries a global catalogue sever) for user/device attributes.

 

Our plan is to have a global cluster of CPPM appliances, with two in three regions of the world, so six in total. Each region is served by a different domain with a trust established between them all. 

 

With the above in mind, I was wondering what is the recommended approach for the authentication source, is it 1) join each of the CPPM appliances to its respective domain or 2) continue with an LDAP GC repository. Our AD guys are suggesting the latter of the two, but documentation and other posts in the communities suggest option 1.

 

Also, what benefit do I gain from using one over the other?

 

Thanks

 

 

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Recommended authentication source (AD or LDAP)

The best practice from a security standpoint would be using EAP-TLS and only leveraging AD or LDAP for authorization.

If that's not feasible and you need to stay with the legacy authentication methods (PEAPv0/EAP-MSCHAPv2 or EAP-TTLS), the answer varies. When you say LDAP, is this a separate identity store from your Active Directory?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Recommended authentication source (AD or LDAP)

The best practice from a security standpoint would be using EAP-TLS and only leveraging AD or LDAP for authorization.

If that's not feasible and you need to stay with the legacy authentication methods (PEAPv0/EAP-MSCHAPv2 or EAP-TTLS), the answer varies. When you say LDAP, is this a separate identity store from your Active Directory?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 87
Registered: ‎11-27-2014

Re: Recommended authentication source (AD or LDAP)

Hi Tim,

 

Apologies, we are using EAP-TLS. It was the authorisation I was referring to, my bad.

 

The LDAP (in Cisco ACS) that I refer to is actually a reference to a global catalogue server that has a view of all objects in the forest (made up of the three domains).

 

I was trying to understand the benefit of moving away from this, and joining the CPPMs to the domain as opposed to just continuing with the LDAP lookup. Our AD guys are suggesting this is more efficient than performing an AD lookup for objects/attributes.

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Recommended authentication source (AD or LDAP)

Domain join is only required when using MSCHAP-based EAP methods. Since you're already using EAP-TLS, you're just doing LDAP binds to AD to pull in account info.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Recommended authentication source (AD or LDAP)

Domain join is only required when using MSCHAP-based EAP methods. Since you're already using EAP-TLS, you're just doing LDAP binds to AD to pull in account info.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: