Security

I'm curious as to why the domain admin accont is needed to join clearpass to a domain. By default standard users are abel to join 10 PCs to the domain. I have created an account to use for CP to bind to AD and was planning on using that same account to join it to the domain. I was supprised to see the the join process requres the account to be a domain admin. Does that mean if must actually be the buil-it "Administrator" account or can it be an account that has been added to the domain admins group? 

It does require some elevated privileges.  Joining the domain allows CPPM to authenticate 802.1x methods that have MSCHAPv2 as the inner-EAP method such as PEAP.  This join procedure is done ONCE and only ONCE.  We do NOT save or cache the account used to join the node to AD.  

When you are done, you can use a typical service account with a non-expiring password when you ad AD as an authentication source.  This account will not need the same elevated privilege level.  

Thanks, Seth. I'm fully aware of how the process works, I'm just getting push back from our AD team about granting a user elvated rights to add the box (as Tim pointed out, we do not allow user to add devices tot he domain)... and was looking for a reason for the restriction to pass on to our AD team. 

Thanks for the help.

I've run into this a few times.  Get them to add Clearpass to the domain and then show them that the password isn't cached or saved.  They can enter THEIR creds and add the node to the domain.  Once done, just add AD as an auth source using a service account...or some other account setup for CPPM

Giving the user account rights to add a PC to the domain and add/remove objects to the Computers contianer did not work. I did get it to work by giving the service account "Full Control" of the Computers container.

Thanks for the help.

May I know what kind of elevated privileges require for this account to Join Domain controller. My environment very restricted  and my AD team asking me for the exact privileges .I even ask for  grant access admin privilege for 3 minutes to Join domain also not allow. Please someone can help me out ?

Typically you would need to be able to add and modify computers to the domain, so a user with only add privileges would not work.  Please see here for common reasons why domain adds fail to get an idea of what is needed:  https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Common-ClearPass-domain-join-errors/ta-p/192591 and https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-join-ClearPass-to-an-Active-Directory-domain/ta-p/187614