Wireless Access

last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Clearpass dependancy on SMB1 protocol for AD join and authenicate users

This thread has been viewed 2 times

  • 1.  Clearpass dependancy on SMB1 protocol for AD join and authenicate users

    Posted Jun 02, 2017 08:55 AM

    Hi

     

    Does anybody here know if Aruba Clearpass policy servers are still dependant on SMB1 for domain join and authenticate users?

     

    I think our version is as it just died when we tried to drop SMB1 and was a pain to get back working after rolling back the SMB1 disable change.  I'm waiting on an official response from our aruba solution provider but thought I'd post here too.

     

    I found this thread on here http://community.arubanetworks.com/t5/forums/v3_1/forumtopicpage/board-id/unified-wired-wireless-access/thread-id/40364/page/1 

    But it's old and I couldn't find any futher information if the SMB1 dependancy had been resolved. 

     

    I'd like to get this confirmed before tweeting at Ned Pyle@Microsoft that Aruba Clearpass is #StillNeedsSMB1

     

    https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

     

    I hope I'm wrong and they have fixed it but I'm seeing a depressing list of big names that still need SMB1 for their *nix based products. 



  • 2.  RE: Clearpass dependancy on SMB1 protocol for AD join and authenicate users
    Best Answer

    Posted Jun 02, 2017 09:55 AM

    This post from 2 weeks ago suggests that it's still required....

     



  • 3.  RE: Clearpass dependancy on SMB1 protocol for AD join and authenicate users

    Posted Jun 02, 2017 09:56 AM

    Hi thanks I just found that thread 11 mins before you posted.



  • 4.  RE: Clearpass dependancy on SMB1 protocol for AD join and authenicate users

    EMPLOYEE
    Posted Jun 02, 2017 10:11 AM

    SMBv1 is only required when MSCHAP-based authentication protocols are being used (username/password with PEAPv0/EAP-MSCHAPv2 as an example) and is only used between ClearPass and the domain controller(s). SMBv1 is not required on client devices for network authentication and should be disabled per Microsoft's recommendation.

     

    Most workflows and authentication methods used in ClearPass do not require domain join (and thus do not require SMB).

     

    Some examples include:

    • Modern certificate-based authentication via EAP-TLS
    • Captive portal workflows
    • Security Assertion Markup Language (SAML)
    • OAuth2
    • Cloud identity stores like Microsoft Azure Active Directory, Google G Suite, Ping and Okta Universal Directory

     

    Any questions can be directed to aruba-sirt@hpe.com

     

     



  • 5.  RE: Clearpass dependancy on SMB1 protocol for AD join and authenicate users

    EMPLOYEE
    Posted Jul 26, 2017 04:50 PM

    Update: SMBv2 and SMBv3 support is available via a hotfix for ClearPass 6.6.7

     

    http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873