Security

Reply
Occasional Contributor II
Posts: 15
Registered: ‎09-16-2014

Why do you need to use a domain account to join Clearpass to a domain?

I'm curious as to why the domain admin accont is needed to join clearpass to a domain. By default standard users are abel to join 10 PCs to the domain. I have created an account to use for CP to bind to AD and was planning on using that same account to join it to the domain. I was supprised to see the the join process requres the account to be a domain admin. Does that mean if must actually be the buil-it "Administrator" account or can it be an account that has been added to the domain admins group? 

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Why do you need to use a domain account to join Clearpass to a domain?

It does require some elevated privileges.  Joining the domain allows CPPM to authenticate 802.1x methods that have MSCHAPv2 as the inner-EAP method such as PEAP.  This join procedure is done ONCE and only ONCE.  We do NOT save or cache the account used to join the node to AD.  

 

When you are done, you can use a typical service account with a non-expiring password when you ad AD as an authentication source.  This account will not need the same elevated privilege level.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: Why do you need to use a domain account to join Clearpass to a domain?

If you allow end users to join clients to the domain (most don't), then you
should be ok to use that account.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 15
Registered: ‎09-16-2014

Re: Why do you need to use a domain account to join Clearpass to a domain?

Thanks, Seth. I'm fully aware of how the process works, I'm just getting push back from our AD team about granting a user elvated rights to add the box (as Tim pointed out, we do not allow user to add devices tot he domain)... and was looking for a reason for the restriction to pass on to our AD team. 

 

Thanks for the help.

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: Why do you need to use a domain account to join Clearpass to a domain?

It's a one time thing. Can one of your AD admins just join it to the domain? 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Why do you need to use a domain account to join Clearpass to a domain?

I've run into this a few times.  Get them to add Clearpass to the domain and then show them that the password isn't cached or saved.  They can enter THEIR creds and add the node to the domain.  Once done, just add AD as an auth source using a service account...or some other account setup for CPPM

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 15
Registered: ‎09-16-2014

Re: Why do you need to use a domain account to join Clearpass to a domain?

Giving the user account rights to add a PC to the domain and add/remove objects to the Computers contianer did not work. I did get it to work by giving the service account "Full Control" of the Computers container.

Thanks for the help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: